[#25753] - [4.0] [plg_system_httpheaders] Drop X-XSS-Protection and X-Content-Type-Options from the plugin
- Fixed in Code Base
- 6 Aug 2019
- Medium
- Build: 4.0-dev
- # 25753
- Diff
- zero-24:contenttypes_xss
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #25735 && https://scotthelme.co.uk/security-headers-updates/
Summary of Changes
Drop X-XSS-Protection and X-Content-Type-Options options from the plugin.
X-XSS-Protection
As the most popular platform that still runs an XSS Auditor, Chrome announced plans to drop it in an Intent to Deprecate and Remove: XSS Auditor. There are further details available in this bug but the TLDR is that the XSS Auditor is going. Recent changes included taking it from block mode to filter mode by default and it seems that wasn't enough to save it from the false positives. Edge removed their XSS Filter last year so with the removal from Chrome there is now no browser that will have a native XSS protection. It's time for the header to go! With that said, and using my site as an example, you can see that the X-Xss-Protection header is no longer required for an A+ grade on Security Headers.
https://scotthelme.co.uk/security-headers-updates/
According to this the header is dying and was removed in Edge already and is now going to be remove in Chrome too. It makes no sense to ship Joomla 4 with that old thing that when we anyway only support the latest version of browsers. Based on that text it also seams that chrome in the past already defaulted to block mode now filter mode so older versions are also "protected" as long as you are using them. The best way to eliminate XSS is using CSP which we make much easier to do in Joomla 4 anyway.
X-Content-Type-Options
This header is now enforced by the default htaccess and web.config and seams to only confuse people as the switch has no affect at all anymore #25735
Testing Instructions
Apply this patch, make sure both headers are not possible to configure now and not set anymore.
Expected result
both headers are not possible to configure now and not set anymore.
Actual result
both headers are possible to configure now and get set as of today.
Documentation Changes Required
Yes.
Additional Info
I'm happy for all your input on this and this is a suggestion to deal with that two issues.
cc @SniperSister :)
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration Language & Strings Front End Plugins |
| Labels |
Added:
?
?
?
|
||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
Remove from the dropdown menu???
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
(1) Supplement: 'X-Content-Type-Options' header is set as default in the htaccess or web.config file. (!?)
(2) How to set the 'X-Content-Type-Options' header if no use is made of htaccess or web.config? Or is this question not relevant?
File httpheaders.php, see line 68
private $supportedHttpHeaders = [
'strict-transport-security',
'content-security-policy',
'content-security-policy-report-only',
'x-frame-options',
'referrer-policy',
'expect-ct',
'feature-policy',
];
(3) The feature-policy header may or may not supported !? Also view the image above.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
(1) Supplement: 'X-Content-Type-Options' header is set as default in the htaccess or web.config file. (!?)
I can not follow what you want me to-do?
(2) How to set the 'X-Content-Type-Options' header if no use is made of htaccess or web.config? Or is this question not relevant?
Well here we have the same problem than for the there static headers. I can not detect whether the header is set or not using htaccess. And it seams the current workaround with offering that option still via the plugin is just to confusing. Any suggestions to implement such thing in a non-confusing way?
(3) The feature-policy header may or may not supported !? Also view the image above.
It was just missing from the language string. Fixed.
It was just missing from the language string. Fixed.
Lets remove that language string. It adds no additional information.
I can not follow what you want me to-do?
I mean, add this additional information to the language string.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
Lets remove that language string. It adds no additional information.
Pushed.
I mean, add this additional information to the language string.
Any suggestions about a text and where we should add it?
Any suggestions about a text and where we should add it?
Specify it in the documentation anyway.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
Any suggestions about a text and where we should add it?
Specify it in the documentation anyway.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
Specify it in the documentation anyway.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.
| Status | Pending | ⇒ | Ready to Commit |
Status "Ready To Commit".
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-08-06 10:27:24 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
Thanks!
The two Headers have been removed from the docs: https://docs.joomla.org/J4.x:Http_Header_Management
Screenshot get updated as soon as other relevant PRs got merged.
I have tested this item✅ successfully on 13f2cfd
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25753.