Change X-XSS-Protection "1; block" -> "0"

owncloud · Jan 16, 2021 · 9e57c64 · 9e57c64
1 parent fb8ba84
commit 9e57c64
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 16 deletions.
diff --git a/.htaccess b/.htaccess
@@ -18,7 +18,7 @@
     Header      unset X-Content-Type-Options
     Header always set X-Content-Type-Options "nosniff"
     Header      unset X-XSS-Protection
-    Header always set X-XSS-Protection "1; mode=block"
+    Header always set X-XSS-Protection "0"
     Header      unset X-Robots-Tag
     Header always set X-Robots-Tag "none"
     Header      unset X-Frame-Options

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
@@ -236,7 +236,7 @@
 
 			if (xhr.status === 200) {
 				var securityHeaders = {
-					'X-XSS-Protection': '1; mode=block',
+					'X-XSS-Protection': '0',
 					'X-Content-Type-Options': 'nosniff',
 					'X-Robots-Tag': 'none',
 					'X-Frame-Options': 'SAMEORIGIN',

diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
@@ -416,7 +416,7 @@ describe('OC.SetupChecks tests', function() {
 			async.done(function( data, s, x ){
 				expect(data).toEqual([
 				{
-					msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
+					msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
 				}, {
 					msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.',
@@ -457,7 +457,7 @@ describe('OC.SetupChecks tests', function() {
 
 			async.done(function( data, s, x ){
 				expect(data).toEqual([{
-					msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
+					msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
 				}, {
 					msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.',
@@ -474,7 +474,7 @@ describe('OC.SetupChecks tests', function() {
 			suite.server.requests[0].respond(
 				200,
 				{
-					'X-XSS-Protection': '1; mode=block',
+					'X-XSS-Protection': '0',
 					'X-Content-Type-Options': 'nosniff',
 					'X-Robots-Tag': 'none',
 					'X-Frame-Options': 'SAMEORIGIN',
@@ -497,7 +497,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200,
 			{
-				'X-XSS-Protection': '1; mode=block',
+				'X-XSS-Protection': '0',
 				'X-Content-Type-Options': 'nosniff',
 				'X-Robots-Tag': 'none',
 				'X-Frame-Options': 'SAMEORIGIN',
@@ -543,7 +543,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200,
 			{
-				'X-XSS-Protection': '1; mode=block',
+				'X-XSS-Protection': '0',
 				'X-Content-Type-Options': 'nosniff',
 				'X-Robots-Tag': 'none',
 				'X-Frame-Options': 'SAMEORIGIN',
@@ -568,7 +568,7 @@ describe('OC.SetupChecks tests', function() {
 		suite.server.requests[0].respond(200,
 			{
 				'Strict-Transport-Security': 'max-age=15551999',
-				'X-XSS-Protection': '1; mode=block',
+				'X-XSS-Protection': '0',
 				'X-Content-Type-Options': 'nosniff',
 				'X-Robots-Tag': 'none',
 				'X-Frame-Options': 'SAMEORIGIN',
@@ -593,7 +593,7 @@ describe('OC.SetupChecks tests', function() {
 		suite.server.requests[0].respond(200,
 			{
 				'Strict-Transport-Security': 'iAmABogusHeader342',
-				'X-XSS-Protection': '1; mode=block',
+				'X-XSS-Protection': '0',
 				'X-Content-Type-Options': 'nosniff',
 				'X-Robots-Tag': 'none',
 				'X-Frame-Options': 'SAMEORIGIN',
@@ -617,7 +617,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200, {
 			'Strict-Transport-Security': 'max-age=15768000',
-			'X-XSS-Protection': '1; mode=block',
+			'X-XSS-Protection': '0',
 			'X-Content-Type-Options': 'nosniff',
 			'X-Robots-Tag': 'none',
 			'X-Frame-Options': 'SAMEORIGIN',
@@ -637,7 +637,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200, {
 			'Strict-Transport-Security': 'max-age=99999999',
-			'X-XSS-Protection': '1; mode=block',
+			'X-XSS-Protection': '0',
 			'X-Content-Type-Options': 'nosniff',
 			'X-Robots-Tag': 'none',
 			'X-Frame-Options': 'SAMEORIGIN',
@@ -657,7 +657,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200, {
 			'Strict-Transport-Security': 'max-age=99999999; includeSubDomains',
-			'X-XSS-Protection': '1; mode=block',
+			'X-XSS-Protection': '0',
 			'X-Content-Type-Options': 'nosniff',
 			'X-Robots-Tag': 'none',
 			'X-Frame-Options': 'SAMEORIGIN',
@@ -677,7 +677,7 @@ describe('OC.SetupChecks tests', function() {
 
 		suite.server.requests[0].respond(200, {
 			'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains',
-			'X-XSS-Protection': '1; mode=block',
+			'X-XSS-Protection': '0',
 			'X-Content-Type-Options': 'nosniff',
 			'X-Robots-Tag': 'none',
 			'X-Frame-Options': 'SAMEORIGIN',

diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
@@ -258,7 +258,7 @@ public static function addSecurityHeaders() {
 		// Send fallback headers for installations that don't have the possibility to send
 		// custom headers on the webserver side
 		if (\getenv('modHeadersAvailable') !== 'true') {
-			\header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+			\header('X-XSS-Protection: 0'); // Disable browser based XSS filters: https://github.com/owncloud/core/issues/38236
 			\header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 			\header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
 			\header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

diff --git a/tests/acceptance/features/apiWebdavOperations/downloadFile.feature b/tests/acceptance/features/apiWebdavOperations/downloadFile.feature
@@ -53,7 +53,7 @@ Feature: download file
       | X-Frame-Options                   | SAMEORIGIN                                                       |
       | X-Permitted-Cross-Domain-Policies | none                                                             |
       | X-Robots-Tag                      | none                                                             |
-      | X-XSS-Protection                  | 1; mode=block                                                    |
+      | X-XSS-Protection                  | 0                                                                |
     And the downloaded content should start with "Welcome"
     Examples:
       | dav_version |

diff --git a/tests/data/setUploadLimit/htaccess b/tests/data/setUploadLimit/htaccess
@@ -10,7 +10,7 @@
   <IfModule mod_env.c>
     # Add security and privacy related headers
     Header set X-Content-Type-Options "nosniff"
-    Header set X-XSS-Protection "1; mode=block"
+    Header set X-XSS-Protection "0"
     Header set X-Robots-Tag "none"
     Header set X-Frame-Options "SAMEORIGIN"
     SetEnv modHeadersAvailable true