[Enhancement] Remove `X-XSS-Protection` headers. (Deprecated header not used by browsers nowadays)

[Fijxu]

Is your enhancement request related to a problem? Please describe.

No

Describe the solution you'd like

Remove X-XSS-Protection header.

https://github.com/iv-org/invidious/blob/e8a36985aff1a5b33ddf9abea85dd2c23422c2f7/src/invidious/routes/before_all.cr#L20

Describe alternatives you've considered

Make use of CSP (which is already implemented in Invidious, so there is no problem here)

Additional context

I will not reinvent the wheel so I will just cite the sources.

"In modern browsers, X-XSS-Protection has been deprecated in favor of the Content-Security-Policy to disable the use of inline JavaScript. Its use can introduce XSS vulnerabilities in otherwise safe websites. This should not be used unless you need to support older web browsers that don’t yet support CSP. It is thus recommended to set the header as X-XSS-Protection: 0." https://infosec.mozilla.org/guidelines/web_security#x-xss-protection

There is no need to use X-XSS-Protection unless we want to support the <2010 version of Chrome or the <2015 version of Microsoft Edge. Other browsers like firefox never implemeneted or make use of this header so it makes no sense to use it nowadays because no browser uses it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Recycled text from https://github.com/searxng/searxng/issues/3171

[SamantazFox]

It seems that they removed these guidelines last month:

March, 2024 arroway Remove HPKP and XXSSP obsolete guidelines

[SamantazFox]

Also, yes, we want to support old browsers, so I think it's relevant? Plus we use the block mode, which is safer than letting legacy browsers try to sanitize XSSes.