Umbraco-CMS icon indicating copy to clipboard operation
Umbraco-CMS copied to clipboard

Published 20 hours ago verified publisher icon umbraco

Removing X-XSS-Protection healthcheck

Open gilbertaoe opened this issue 2 years ago • 1 comments

Prerequisites

https://github.com/umbraco/Umbraco-CMS/issues/13040

Description

Removing health check for the X-XSS-Protection header since it is now classified as a non-standard response header that only benefits users of older browsers while potentially creating XSS vulnerabilities in an otherwise safe website. Furthermore, Chrome & Edge have retired their XSS features and Firefox never has implemented nor plans on it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

gilbertaoe avatar Sep 21 '22 21:09 gilbertaoe

Hi there @gilbertaoe, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

  • It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
  • The automated tests all pass (see "Checks" tab on this PR)
  • The level of security for this contribution is the same or improved
  • The level of performance for this contribution is the same or improved
  • Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
  • If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
  • [x] 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

github-actions[bot] avatar Sep 21 '22 21:09 github-actions[bot]

Thanks @gilbertaoe for spotting this and providing the PR to remove it 👍 Let's merge this and let this health-check go for good!!

Also, it would be super great if you could also create a PR in Umbraco Docs to remove the documentation about it: https://umbra.co/healthchecks-xss-protection can just be removed I think 😁

Cheers!

mikecp avatar Sep 28 '22 21:09 mikecp

Hi @gilbertaoe ,

You probably received a notification telling you that your PR had been reverted, so we thought we'd let you know the reason behind it. Basically, this PR removes a public class (and constant), so this is considered as a breaking change, which is not allowed on minor releases 😅 So we had to revert it. The good news is that is has already been picked up for the first "acceptable" release (v12) and that we're looking for a workaround for now.

Very sorry about that!

mikecp avatar Oct 03 '22 11:10 mikecp