X-XSS-Protection should be replaced by CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

>**Non-standard:** This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

>**Warning:** Even though this feature can protect users of older web browsers that don't yet support [CSP](https://developer.mozilla.org/en-US/docs/Glossary/CSP), in some cases, **XSS protection can create XSS vulnerabilities** in otherwise safe websites. See the section below for more information.

>**Note:**
> - Chrome has [removed their XSS Auditor](https://chromestatus.com/feature/5021976655560704)
> - Firefox has not, and [will not implement X-XSS-Protection](https://bugzil.la/528661)
> - Edge has [retired their XSS filter](https://blogs.windows.com/windows-insider/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/)
>
>This means that if you do not need to support legacy browsers, it is recommended that you use [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) without allowing `unsafe-inline` scripts instead.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

X-XSS-Protection should be replaced by CSP #10

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

X-XSS-Protection should be replaced by CSP #10

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions