nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

django: Remove use of X-XSS-Protection header

Browse Source 
- This header is not supported by modern browsers[1]

- Our Content-Security-Policy header already does a better job.

- Django 4.0 removed this setting and does nothing with it.

Links:

1) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Tests:

- Without the patch X-XSS-Protection header is sent and with the patch it is not
sent.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2023-08-10 08:05:03 -07:00 committed by James Valleroy
parent ee05f98833
commit da24f852cf
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
1 changed files with 0 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plinth/settings.py
View File

@ -139,8 +139,6 @@ PASSWORD_HASHERS = [
ROOT_URLCONF = 'plinth.urls'
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
# Overridden based configuration key secure_proxy_ssl_header