Merge PR rails#41769

Author: rafaelfranca

actionpack/test/controller/base_test.rb

@@ -133,7 +133,7 @@ def test_response_has_default_headers
     ActionDispatch::Response.default_headers = {
       "X-Frame-Options" => "DENY",
       "X-Content-Type-Options" => "nosniff",
-      "X-XSS-Protection" => "1;"
+      "X-XSS-Protection" => "0"
     }
 
     response_headers = SimpleController.action("hello").call(

actionpack/test/controller/metal_test.rb

@@ -15,7 +15,7 @@ def test_response_does_not_have_default_headers
     ActionDispatch::Response.default_headers = {
       "X-Frame-Options" => "DENY",
       "X-Content-Type-Options" => "nosniff",
-      "X-XSS-Protection" => "1;"
+      "X-XSS-Protection" => "0"
     }
 
     response_headers = SimpleController.action("hello").call(

actionpack/test/dispatch/response_test.rb

@@ -339,7 +339,7 @@ def test_only_set_charset_still_defaults_to_text_html
       ActionDispatch::Response.default_headers = {
         "X-Frame-Options" => "DENY",
         "X-Content-Type-Options" => "nosniff",
-        "X-XSS-Protection" => "1;",
+        "X-XSS-Protection" => "0",
         "X-Download-Options" => "noopen",
         "X-Permitted-Cross-Domain-Policies" => "none",
         "Referrer-Policy" => "strict-origin-when-cross-origin"
@@ -351,7 +351,7 @@ def test_only_set_charset_still_defaults_to_text_html
 
       assert_equal("DENY", resp.headers["X-Frame-Options"])
       assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
-      assert_equal("1;", resp.headers["X-XSS-Protection"])
+      assert_equal("0", resp.headers["X-XSS-Protection"])
       assert_equal("noopen", resp.headers["X-Download-Options"])
       assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
       assert_equal("strict-origin-when-cross-origin", resp.headers["Referrer-Policy"])

guides/source/configuring.md

@@ -1738,6 +1738,16 @@ Accepts a string for the HTML tag used to wrap attachments. Defaults to `"action
 - `config.active_record.partial_inserts`: `false`
 - `config.active_storage.variant_processor`: `:vips`
 - `config.action_controller.wrap_parameters_by_default`: `true`
+- `config.action_dispatch.default_headers`:
+
+    {
+      "X-Frame-Options" => "SAMEORIGIN",
+      "X-XSS-Protection" => "0",
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "Referrer-Policy" => "strict-origin-when-cross-origin"
+    }
 
 #### For '6.1', defaults from previous versions below and:
 
@@ -1822,6 +1832,16 @@ Accepts a string for the HTML tag used to wrap attachments. Defaults to `"action
 - `config.active_storage.video_preview_arguments`: `"-y -vframes 1 -f image2"`
 - `config.active_storage.variant_processor`: `:mini_magick`
 - `config.action_controller.wrap_parameters_by_default`: `false`
+- `config.action_dispatch.default_headers`:
+
+    {
+      "X-Frame-Options" => "SAMEORIGIN",
+      "X-XSS-Protection" => "1; mode=block",
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "Referrer-Policy" => "strict-origin-when-cross-origin"
+    }
 
 ### Configuring a Database
 

guides/source/security.md

@@ -1036,7 +1036,7 @@ Every HTTP response from your Rails application receives the following default s
 ```ruby
 config.action_dispatch.default_headers = {
   'X-Frame-Options' => 'SAMEORIGIN',
-  'X-XSS-Protection' => '1; mode=block',
+  'X-XSS-Protection' => '0',
   'X-Content-Type-Options' => 'nosniff',
   'X-Download-Options' => 'noopen',
   'X-Permitted-Cross-Domain-Policies' => 'none',
@@ -1062,7 +1062,7 @@ config.action_dispatch.default_headers.clear
 Here is a list of common headers:
 
 * **X-Frame-Options:** _`SAMEORIGIN` in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or remove this header completely if you want to allow framing on all websites.
-* **X-XSS-Protection:** _`1; mode=block` in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
+* **X-XSS-Protection:** _`0` in Rails by default_ - [deprecated legacy header](https://owasp.org/www-project-secure-headers/#x-xss-protection), set to '0' to disable problematic legacy XSS auditors.
 * **X-Content-Type-Options:** _`nosniff` in Rails by default_ - stops the browser from guessing the MIME type of a file.
 * **X-Content-Security-Policy:** [A powerful mechanism for controlling which sites certain content types can be loaded from](https://w3c.github.io/webappsec-csp/)
 * **Access-Control-Allow-Origin:** Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.

railties/CHANGELOG.md

@@ -1,3 +1,18 @@
+*   Change default `X-XSS-Protection` header to disable XSS auditor
+
+    This header has been deprecated and the XSS auditor it triggered
+    has been removed from all major modern browsers (in favour of
+    Content Security Policy) that implemented this header to begin with
+    (Firefox never did).
+
+    [OWASP](https://owasp.org/www-project-secure-headers/#x-xss-protection)
+    suggests setting this header to '0' to disable the default behaviour
+    on old browsers as it can introduce additional security issues.
+
+    Added the new behaviour as a framework default from Rails 7.0.
+
+    *Christian Sutter*
+
 *   Scaffolds now use date_field, time_field and datetime_field instead of
     date_select, time_select and datetime_select; thus providing native date/time pickers.
 

railties/lib/rails/application/configuration.rb

@@ -198,6 +198,14 @@ def load_defaults(target_version)
           load_defaults "6.1"
 
           if respond_to?(:action_dispatch)
+            action_dispatch.default_headers = {
+              "X-Frame-Options" => "SAMEORIGIN",
+              "X-XSS-Protection" => "0",
+              "X-Content-Type-Options" => "nosniff",
+              "X-Download-Options" => "noopen",
+              "X-Permitted-Cross-Domain-Policies" => "none",
+              "Referrer-Policy" => "strict-origin-when-cross-origin"
+            }
             action_dispatch.return_only_request_media_type_on_content_type = false
             action_dispatch.cookies_serializer = :json
           end

railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_7_0.rb.tt

@@ -107,5 +107,15 @@
 # `String` to `Digest::UUID.uuid_v3` or `Digest::UUID.uuid_v5` method calls.
 #
 # See https://guides.rubyonrails.org/configuring.html#config-active-support-use-rfc4122-namespaced-uuids for
-# more information
+# more information.
 # Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
+
+# Change the default headers to disable browsers' flawed legacy XSS protection.
+# Rails.application.config.action_dispatch.default_headers = {
+#   "X-Frame-Options" => "SAMEORIGIN",
+#   "X-XSS-Protection" => "0",
+#   "X-Content-Type-Options" => "nosniff",
+#   "X-Download-Options" => "noopen",
+#   "X-Permitted-Cross-Domain-Policies" => "none",
+#   "Referrer-Policy" => "strict-origin-when-cross-origin"
+# }