[Django] #32678: Remove SECURE_BROWSER_XSS_FILTER setting (X-XSS-Protection header support)
Django
-------------------------------------+-------------------------------------
Reporter: Tim | Owner: Tim Graham
Graham |
Type: | Status: assigned
Cleanup/optimization |
Component: HTTP | Version: dev
handling |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
As proposed on [https://groups.google.com/g/django-
developers/c/Y5ewyst1gbg/m/ciqn-pwLBAAJ django-developers], remove this
setting and its functionality without a deprecation.
Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP
header anymore. Although the setting offers little practical benefit, you
may still want to set the header if you support older browsers."
https://docs.djangoproject.com/en/3.2/ref/settings/#secure-browser-xss-
filter
According to Mozilla's docs, the header is supported by IE8 and Safari.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
In Django 3.0, the system check that suggested using this setting was
removed (#30680).
--
Ticket URL: <https://code.djangoproject.com/ticket/32678>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Type: | Graham
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/14306 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/32678#comment:1>
Django
-------------------------------------+-------------------------------------
Type: | Graham
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by Nick Pope):
* keywords: => security, xss
* easy: 0 => 1
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/32678#comment:2>
Django
-------------------------------------+-------------------------------------
Type: | Graham
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/32678#comment:3>
Django
-------------------------------------+-------------------------------------
Type: | Graham
Component: HTTP handling | Version: dev
Keywords: security, xss | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"54da6e2ac20bde80e0de9e35aa0c40ae1dd13943" 54da6e2]:
{{{
#!CommitTicketReference repository=""
revision="54da6e2ac20bde80e0de9e35aa0c40ae1dd13943"
Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32678#comment:4>