Fix: Remove X-XSS-Protection use, check and recommendation

Co-authored-by: John Molakvoæ <skjnldsv@users.noreply.github.com> Signed-off-by: invario <67800603+invario@users.noreply.github.com>
2025-07-22 18:25:45 +00:00 · 2025-06-13 16:12:27 -04:00
parent e6209d9135
commit 2b58f74cc8
8 changed files with 1 additions and 20 deletions
--- a/.htaccess
+++ b/.htaccess
@ -40,9 +40,6 @@
    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

-    Header onsuccess unset X-XSS-Protection
-    Header always set X-XSS-Protection "1; mode=block"
-
    SetEnv modHeadersAvailable true
  </IfModule>

--- a/apps/settings/lib/SetupChecks/SecurityHeaders.php
+++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php
@ -72,11 +72,6 @@ class SecurityHeaders implements ISetupCheck {
 					}
 				}

-				$xssFields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));
-				if (!in_array('1', $xssFields) || !in_array('mode=block', $xssFields)) {
-					$msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']) . "\n";
-				}
-
 				$referrerPolicy = $response->getHeader('Referrer-Policy');
 				if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) {
 					$msg .= $this->l10n->t(
--- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
+++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@ -84,7 +84,7 @@ class SecurityHeadersTest extends TestCase {

 		$result = $this->setupcheck->run();
 		$this->assertEquals(
-			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
 			$result->getDescription()
 		);
 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
@ -94,7 +94,6 @@ class SecurityHeadersTest extends TestCase {
 		return [
 			// description => modifiedHeaders
 			'basic' => [[]],
-			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
 			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
 			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
 			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
@ -113,7 +112,6 @@ class SecurityHeadersTest extends TestCase {
 	public function testSuccess(array $headers): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
@ -140,8 +138,6 @@ class SecurityHeadersTest extends TestCase {
 		return [
 			// description => modifiedHeaders
 			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
 			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
@ -157,7 +153,6 @@ class SecurityHeadersTest extends TestCase {
 	public function testFailure(array $headers, string $msg): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
--- a/build/integration/dav_features/carddav.feature
+++ b/build/integration/dav_features/carddav.feature
@ -49,7 +49,6 @@ Feature: carddav
        |X-Frame-Options|SAMEORIGIN|
        |X-Permitted-Cross-Domain-Policies|none|
        |X-Robots-Tag|noindex, nofollow|
-        |X-XSS-Protection|1; mode=block|

  Scenario: Exporting the picture of ones own contact
    Given "admin" creates an addressbook named "MyAddressbook" with statuscode "201"
@ -63,7 +62,6 @@ Feature: carddav
      |X-Frame-Options|SAMEORIGIN|
      |X-Permitted-Cross-Domain-Policies|none|
      |X-Robots-Tag|noindex, nofollow|
-      |X-XSS-Protection|1; mode=block|

  Scenario: Create addressbook request for non-existing addressbook of another user
    Given user "user0" exists
--- a/build/integration/dav_features/dav-v2.feature
+++ b/build/integration/dav_features/dav-v2.feature
@ -41,7 +41,6 @@ Feature: dav-v2
 			|X-Frame-Options|SAMEORIGIN|
 			|X-Permitted-Cross-Domain-Policies|none|
 			|X-Robots-Tag|noindex, nofollow|
-			|X-XSS-Protection|1; mode=block|
 		And Downloaded content should start with "Welcome to your Nextcloud account!"

 	Scenario: Doing a GET with a web login should work without CSRF token on the new backend
--- a/build/integration/dav_features/webdav-related.feature
+++ b/build/integration/dav_features/webdav-related.feature
@ -291,7 +291,6 @@ Feature: webdav-related
 			|X-Frame-Options|SAMEORIGIN|
 			|X-Permitted-Cross-Domain-Policies|none|
 			|X-Robots-Tag|noindex, nofollow|
-			|X-XSS-Protection|1; mode=block|
 		And Downloaded content should start with "Welcome to your Nextcloud account!"

 	Scenario: Doing a GET with a web login should work without CSRF token on the old backend
--- a/lib/private/legacy/OC_Response.php
+++ b/lib/private/legacy/OC_Response.php
@ -78,7 +78,6 @@ class OC_Response {
 			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
 			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
 			header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 		}
 	}
 }
--- a/tests/data/setUploadLimit/htaccess
+++ b/tests/data/setUploadLimit/htaccess
@ -10,7 +10,6 @@
  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
-    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "noindex, nofollow"
    Header set X-Frame-Options "SAMEORIGIN"
    SetEnv modHeadersAvailable true