Merge pull request #53476 from invario/remove-x-xss-protection

nickvergessen · web-flow · commit 875e7079111b · 2025-06-30T22:54:46.000+02:00
Fix: Remove X-XSS-Protection use, check and recommendation
diff --git a/.htaccess b/.htaccess
@@ -40,9 +40,6 @@
     Header onsuccess unset X-Robots-Tag
     Header always set X-Robots-Tag "noindex, nofollow"
 
-    Header onsuccess unset X-XSS-Protection
-    Header always set X-XSS-Protection "1; mode=block"
-
     SetEnv modHeadersAvailable true
   </IfModule>
 
diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php
@@ -72,11 +72,6 @@ public function run(): SetupResult {
 					}
 				}
 
-				$xssFields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));
-				if (!in_array('1', $xssFields) || !in_array('mode=block', $xssFields)) {
-					$msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']) . "\n";
-				}
-
 				$referrerPolicy = $response->getHeader('Referrer-Policy');
 				if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) {
 					$msg .= $this->l10n->t(
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@@ -84,7 +84,7 @@ public function testSomeHeadersMissing(): void {
 
 		$result = $this->setupcheck->run();
 		$this->assertEquals(
-			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
 			$result->getDescription()
 		);
 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
@@ -94,7 +94,6 @@ public static function dataSuccess(): array {
 		return [
 			// description => modifiedHeaders
 			'basic' => [[]],
-			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
 			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
 			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
 			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
@@ -113,7 +112,6 @@ public static function dataSuccess(): array {
 	public function testSuccess(array $headers): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
@@ -140,8 +138,6 @@ public static function dataFailure(): array {
 		return [
 			// description => modifiedHeaders
 			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
 			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
@@ -157,7 +153,6 @@ public static function dataFailure(): array {
 	public function testFailure(array $headers, string $msg): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
diff --git a/build/integration/dav_features/carddav.feature b/build/integration/dav_features/carddav.feature
@@ -49,7 +49,6 @@ Feature: carddav
         |X-Frame-Options|SAMEORIGIN|
         |X-Permitted-Cross-Domain-Policies|none|
         |X-Robots-Tag|noindex, nofollow|
-        |X-XSS-Protection|1; mode=block|
 
   Scenario: Exporting the picture of ones own contact
     Given "admin" creates an addressbook named "MyAddressbook" with statuscode "201"
@@ -63,7 +62,6 @@ Feature: carddav
       |X-Frame-Options|SAMEORIGIN|
       |X-Permitted-Cross-Domain-Policies|none|
       |X-Robots-Tag|noindex, nofollow|
-      |X-XSS-Protection|1; mode=block|
 
   Scenario: Create addressbook request for non-existing addressbook of another user
     Given user "user0" exists
diff --git a/build/integration/dav_features/dav-v2.feature b/build/integration/dav_features/dav-v2.feature
@@ -41,7 +41,6 @@ Feature: dav-v2
 			|X-Frame-Options|SAMEORIGIN|
 			|X-Permitted-Cross-Domain-Policies|none|
 			|X-Robots-Tag|noindex, nofollow|
-			|X-XSS-Protection|1; mode=block|
 		And Downloaded content should start with "Welcome to your Nextcloud account!"
 
 	Scenario: Doing a GET with a web login should work without CSRF token on the new backend
diff --git a/build/integration/dav_features/webdav-related.feature b/build/integration/dav_features/webdav-related.feature
@@ -291,7 +291,6 @@ Feature: webdav-related
 			|X-Frame-Options|SAMEORIGIN|
 			|X-Permitted-Cross-Domain-Policies|none|
 			|X-Robots-Tag|noindex, nofollow|
-			|X-XSS-Protection|1; mode=block|
 		And Downloaded content should start with "Welcome to your Nextcloud account!"
 
 	Scenario: Doing a GET with a web login should work without CSRF token on the old backend
diff --git a/lib/private/legacy/OC_Response.php b/lib/private/legacy/OC_Response.php
@@ -78,7 +78,6 @@ public static function addSecurityHeaders() {
 			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
 			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
 			header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 		}
 	}
 }
diff --git a/tests/data/setUploadLimit/htaccess b/tests/data/setUploadLimit/htaccess
@@ -10,7 +10,6 @@
   <IfModule mod_env.c>
     # Add security and privacy related headers
     Header set X-Content-Type-Options "nosniff"
-    Header set X-XSS-Protection "1; mode=block"
     Header set X-Robots-Tag "noindex, nofollow"
     Header set X-Frame-Options "SAMEORIGIN"
     SetEnv modHeadersAvailable true

Original file line number	Diff line number	Diff line change
`@@ -72,11 +72,6 @@ public function run(): SetupResult {`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`
`75`		`- $xssFields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));`
`76`		`- if (!in_array('1', $xssFields) \|\| !in_array('mode=block', $xssFields)) {`
`77`		- $msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']) . "\n";
`78`		`- }`
`79`		`-`
`80`	`75`	`$referrerPolicy = $response->getHeader('Referrer-Policy');`
`81`	`76`	`if (!preg_match('/(no-referrer(-when-downgrade)?\|strict-origin(-when-cross-origin)?\|same-origin)(,\|$)/', $referrerPolicy)) {`
`82`	`77`	`$msg .= $this->l10n->t(`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,6 @@ public static function addSecurityHeaders() {`
`78`	`78`	`header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains`
`79`	`79`	`header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html`
`80`	`80`	`header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag`
`81`		`- header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters`
`82`	`81`	`}`
`83`	`82`	`}`
`84`	`83`	`}`