不中用 Posted August 4, 2016 Share Posted August 4, 2016 X-XSS-Protection is set to 0 (zero) by Output.php .. Quote This is so when we post contents with scripts (which is possible in the editor, like when embedding a Twitter tweet) the browser doesn't block it Is this still needed to force/add another header? Mostly all servers are already configured to set X-XSS-Protection to 1 .. Now I have this 2x times in my headers .. . Link to comment Share on other sites More sharing options...
Colonel_mortis Posted August 4, 2016 Share Posted August 4, 2016 I'm fairly sure that it is no longer required, because they have switched to iframes instead. I think have previously brought it up with IPS, but I can't remember what their response was (I think probably they either said they'd look into it, or they just didn't see/act on that bit of the message). Link to comment Share on other sites More sharing options...
Guest Posted August 4, 2016 Share Posted August 4, 2016 Hello, I used X-XSS-Protection set to 1 some time ago which broke including posts this way: Regards, Marco Link to comment Share on other sites More sharing options...
Marcher Technologies Posted August 4, 2016 Share Posted August 4, 2016 Um, yeah, iframes being posted are flagged as XSS and blocked by that header, regardless of whether they are trusted. I don't think your server should be deciding that header, that is the software's decision based on it's needs. Link to comment Share on other sites More sharing options...
不中用 Posted August 5, 2016 Author Share Posted August 5, 2016 4 hours ago, Marcher Technologies said: Um, yeah, iframes being posted are flagged as XSS and blocked by that header, regardless of whether they are trusted. I don't think your server should be deciding that header, that is the software's decision based on it's needs. . Yes .. like you said " the software's needs " .. But that doesn't mean it has to be switched off all the time and globally .. It's a lazy coding way to avoid a problem .. And posted everywhere on the net to tidy up server security, for Apache, Nginx and etc .. it's all in the server configuration .. not that PHP have to fiddle with such things all the time .. 7 hours ago, Colonel_mortis said: I'm fairly sure that it is no longer required, because they have switched to iframes instead. I think have previously brought it up with IPS, but I can't remember what their response was (I think probably they either said they'd look into it, or they just didn't see/act on that bit of the message). . IPS never advised before to set server configuration without X-XSS-Protection which is very weird if they wanna switch it off (zero) and then server config switched in on (1) again .. having now 2 headers with 0 and 1 setting, which one will give priority ? And I guess browsers will soon not look at this header anymore to flag a warning, it will be a default setting to have xss protection always on .. . Link to comment Share on other sites More sharing options...
Colonel_mortis Posted August 5, 2016 Share Posted August 5, 2016 13 hours ago, IN10TION said: And I guess browsers will soon not look at this header anymore to flag a warning, it will be a default setting to have xss protection always on .. It is on by default in all browsers that support it (Chrome and IE/Edge), but some versions of IE need the header to force them into strict mode. IPS sends the header to disable the protection, because it used to (and may still) cause issues with the editor. 13 hours ago, IN10TION said: IPS never advised before to set server configuration without X-XSS-Protection which is very weird if they wanna switch it off (zero) and then server config switched in on (1) again .. having now 2 headers with 0 and 1 setting, which one will give priority ? The last header sent, which is probably the server config's, should take priority I think. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.