Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60130

Remove X-XSS-Protection header

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • 4.20.0
    • 4.20
    • Management Console
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • Proposed
    • None
    • Hide
      Before this update, the console included an outdated security instruction `X-XSS-Protection` when sending pages to your browser. This update removes that instruction. As a result, the console runs securely in modern browsers. (link:https://issues.redhat.com/browse/OCPBUGS-60130[OCPBUGS-60130])
      Show
      Before this update, the console included an outdated security instruction `X-XSS-Protection` when sending pages to your browser. This update removes that instruction. As a result, the console runs securely in modern browsers. (link: https://issues.redhat.com/browse/OCPBUGS-60130 [ OCPBUGS-60130 ])
    • None
    • None
    • None
    • None

      Description of problem:

      We should not set the X-XSS-Protection header. That header is now deprecated and should not be set. 

See: https://github.com/openshift/console/issues/15344  

      How reproducible:

      Always

      Actual results:

      X-XSS-Protection is set as: ("X-XSS-Protection", "1; mode=block")

      Expected results:

      Remove setting the X-XSS-Protection header in totality

      Additional info:

      https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection

              jhadvig@redhat.com Jakub Hadvig
              jforce1 James Force
              None
              None
              Yanping Zhang Yanping Zhang
              Jocelyn Sese Jocelyn Sese
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: