-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should x-xss-protection default to “0” instead of “1; mode=block” #439
Comments
I'm the maintainer of the linked module and have been thinking about this for awhile. My thoughts: I see two reasonable options for this header's default value:
No matter what we choose, the default will put some people at risk. I'm coming around to the idea that the default should be What do you think? As a meta point, I think the maintainers of Helmet, Secure Headers, and many other modules need to answer questions like this. Should we find a way to work together? I don't think we need to do anything fancy, but it could be good to get all of us on an email list or something. I think this isn't the place to discuss that, but want to float the idea. |
I'll reply in here, instead of the issue at Helmet's repository. If I were to recommend, I'd follow point number 2 and disable the XSS auditor. As for CSP, setting a default might be tricky. I mean I like it, but not so advanced developers won't like it. It could be an opportunity to make CSP implemented and more wide-spread if libraries set secure defaults. How I am looking at it:
cc @lweichselbaum for additional input on CSP, and what they think about implementing a CSP secure default. |
@ThunderSon thanks for the followup in another thread! This library will set csp by default that should work for apps out of the box and is a nice mix of common needs for apps without sacrificing all the security. I'm not sure how many people actually use it, but I'm a strong advocate of providing a default and I've seen it work wonders. Of course, I have no idea how many people actually use the default or benefit from it but I'm not worried about negative effects here.
|
That |
@oreoshake how are you thinking of softening it up? What is an example that you're thinking of? |
My stance on the default policy as-is (or at all) being a good idea. @EvanHahn does helmet set a default policy? |
The current version does not, but I intend to add one in the next major version of Helmet. |
I think I'm going to try and tackle this in the next release. It's a breaking change and #422 really needs to get out (and is also a breaking change). |
@ho4ho at this point, I don't think there's any disagreement, there just hasn't been a pull request for it. |
Does anyone know if there's a similar issue in rails/rails? Might as well change it there too. |
Circling back to this, GitHub has defaulted to |
It should be noted that many modern browsers don't support this header:
The MDN docs also warn against the use of this header:
|
Related https://github.com/helmetjs/x-xss-protection/issues/14
There’s some good discussion there. The owasp consensus is that it does more harm than good.
We’ve always allowed people to override this setting, but maybe we should change the default.
The text was updated successfully, but these errors were encountered: