Mark Dain Interesting article, perhaps we ought to be using X-XSS-Protection: 0 instead to avoid browser bugs blog.innerht.ml/th... ?
Martijn I must have missed something, when do I need X-XSS-Protection? Shouldn't I just be using CSP to define exactly what resources are allowed to load?
6y, 35w 2 replies
Login or register your account to reply
Mark Dain Funny you should say that, it's almost exactly what MDN says; developer.mozilla.... that it's a legacy header. What I found interesting was with a strong CSP implementation, disabling the XSS filter/auditor may actually improve security
6y, 35w 1 reply
Martijn Over on my homepage I only allow a single inline script to run, which is identified through the CSP header by its matching SHA hash. I feel pretty OK about that. I would definitely recommend setting up CSP as strict as possible if you are working on something with high security demands.
6y, 35w reply