[Django] #30680: Remove security.W007 check

6 views
Skip to first unread message

Django

unread,
Aug 5, 2019, 4:48:15 AM8/5/19
to django-...@googlegroups.com
#30680: Remove security.W007 check
-------------------------------------------------+------------------------
Reporter: Adam (Chainz) Johnson | Owner: nobody
Type: Uncategorized | Status: new
Component: Core (Other) | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------------+------------------------
As discused in #30426, it seems that the X-Xss-Protection security header
is no longer industry best practice, as major browsers are removing their
XSS auditors and security professionals no longer recommend it:

* Scott Helme has stopped requiring it on SecurityHeaders.com -
https://scotthelme.co.uk/security-headers-updates/
* Chrome has is removing their XSS Auditor -
https://bugs.chromium.org/p/chromium/issues/detail?id=968591
* Edge already removed their XSS auditor
* This is all because the protection is minimal and the false positives
tend to be damaging - https://frederik-braun.com/xssauditor-bad.html

As suggested by Ran on #30426, rather than enforce the setting
`SECURE_BROWSER_XSS_FILTER`, we should actually be looking at removing the
check `security.W007` so users have one less thing to think about for a
modern security posture.

--
Ticket URL: <https://code.djangoproject.com/ticket/30680>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Aug 5, 2019, 5:13:07 AM8/5/19
to django-...@googlegroups.com
#30680: Remove security.W007 check.
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: nobody
Johnson |
Type: | Status: new
Cleanup/optimization |
Component: Core (System | Version: master
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):

* component: Core (Other) => Core (System checks)
* version: 2.2 => master
* type: Uncategorized => Cleanup/optimization
* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/30680#comment:1>

Django

unread,
Aug 5, 2019, 5:13:25 AM8/5/19
to django-...@googlegroups.com
#30680: Remove security.W007 check.
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: nobody
Johnson |
Type: | Status: new
Cleanup/optimization |
Component: Core (System | Version: master
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):

* easy: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/30680#comment:2>

Django

unread,
Aug 5, 2019, 7:37:30 AM8/5/19
to django-...@googlegroups.com
#30680: Remove security.W007 check.
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Adnan
Johnson | Umer
Type: | Status: assigned

Cleanup/optimization |
Component: Core (System | Version: master
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Adnan Umer):

* owner: nobody => Adnan Umer
* status: new => assigned


--
Ticket URL: <https://code.djangoproject.com/ticket/30680#comment:3>

Django

unread,
Aug 5, 2019, 8:27:41 AM8/5/19
to django-...@googlegroups.com
#30680: Remove security.W007 check.
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Adnan
Johnson | Umer
Type: | Status: assigned
Cleanup/optimization |
Component: Core (System | Version: master
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Adnan Umer):

* has_patch: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/30680#comment:4>

Django

unread,
Aug 7, 2019, 2:02:50 AM8/7/19
to django-...@googlegroups.com
#30680: Remove security.W007 check.
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Adnan
Johnson | Umer
Type: | Status: closed

Cleanup/optimization |
Component: Core (System | Version: master
checks) |
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"c5075360c50b6e681fb3e7d58e6e93ae96662f49" c5075360]:
{{{
#!CommitTicketReference repository=""
revision="c5075360c50b6e681fb3e7d58e6e93ae96662f49"
Fixed #30680 -- Removed obsolete system check for
SECURE_BROWSER_XSS_FILTER setting.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30680#comment:5>

Reply all
Reply to author
Forward
0 new messages