remove SECURE_BROWSER_XSS_FILTER setting?

[Tim Graham]

Hi, I think this setting and its functionality could be removed without a deprecation.

Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers."
https://docs.djangoproject.com/en/3.2/ref/settings/#secure-browser-xss-filter

According to Mozilla's docs, the header is supported by IE8 and Safari.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

In Django 3.0, the system check that suggested using this setting was removed: https://code.djangoproject.com/ticket/30680.

[Adam Johnson]

I agree. The time has come to remove it as it offers little protection, and it's easy to add back if you have the requirement.

Two more data points: securityheaders.com no longer gives you points for setting the header, and caniuse.com data ( https://caniuse.com/mdn-http_headers_x-xss-protection ) shows 20.4% browser support globally, mostly through Safari.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/bb6d7e16-7f8a-4c20-a3a6-4ebe3b2f05c2n%40googlegroups.com.

--

Adam