From da24f852cf6306624ed45b658804ac76403596b4 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 10 Aug 2023 08:05:03 -0700
Subject: [PATCH] django: Remove use of X-XSS-Protection header

- This header is not supported by modern browsers[1]

- Our Content-Security-Policy header already does a better job.

- Django 4.0 removed this setting and does nothing with it.

Links:

1) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Tests:

- Without the patch X-XSS-Protection header is sent and with the patch it is not
sent.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/settings.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/plinth/settings.py b/plinth/settings.py
index 6213d74a7..278ebe247 100644
--- a/plinth/settings.py
+++ b/plinth/settings.py
@@ -139,8 +139,6 @@ PASSWORD_HASHERS = [
 
 ROOT_URLCONF = 'plinth.urls'
 
-SECURE_BROWSER_XSS_FILTER = True
-
 SECURE_CONTENT_TYPE_NOSNIFF = True
 
 # Overridden based configuration key secure_proxy_ssl_header