Interesting article, perhaps we ought to be using X-XSS-Protection: 0 instead to avoid browser bugs
3 replies ¬
your account to reply
I must have missed something, when do I need X-XSS-Protection? Shouldn't I just be using CSP to define exactly what resources are allowed to load?
Funny you should say that, it's almost exactly what MDN says;
that it's a legacy header. What I found interesting was with a strong CSP implementation, disabling the XSS filter/auditor may actually improve security