disable legacy X-XSS-Protection feature

Obsolete in every modern browser, unsafe, and replaced by CSP
2024-06-10 12:22:22 +00:00 · 2022-03-21 06:30:37 +01:00 · 2022-03-21 06:30:37 +01:00 · 27d4b713f6
commit 27d4b713f6
parent 8d06d9c111
1 changed files with 2 additions and 1 deletions
--- a/src/util.rs
+++ b/src/util.rs
@ -32,7 +32,8 @@ impl Fairing for AppHeaders {
        res.set_raw_header("Referrer-Policy", "same-origin");
        res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
        res.set_raw_header("X-Content-Type-Options", "nosniff");
-        res.set_raw_header("X-XSS-Protection", "1; mode=block");
+        // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP
+        res.set_raw_header("X-XSS-Protection", "0");
        let csp = format!(
            // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
            // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US