AppEngine sends header: X-XSS-Protection: 0

55 views
Skip to first unread message

chadwackerman

unread,
Oct 10, 2009, 8:19:14 AM10/10/09
to Google App Engine
Just noticed this. This disables the IE8 XSS security filter.

Many Google sites seem to be sending it. It's odd.

Regardless, on AppEngine, seems like it should be left to the app to
decide and not Google.
I'm seeing it on static pages so I don't think it's Django or webapp.

Anyone know what's up?

Alexander Konovalenko

unread,
Nov 20, 2009, 11:20:39 AM11/20/09
to Google App Engine, chadwackerman
Can you think of an attack that would have been mitigated by the
filter if it was enabled for static content? If someone comes up with
an attack, our chances to get rid of the ugly header quickly will
improve significantly. Seriously, I'd like to know why they added it
in the first place.

I have shared my thoughts in the issue tracker:
http://code.google.com/p/googleappengine/issues/detail?id=2417
Sooner or later someone from the App Engine team will notice that
issue and respond.

-- Alexander
Reply all
Reply to author
Forward
0 new messages