From 0af8ac12636d864713cada463bd10a4643bb9355 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Sat, 23 Oct 2021 22:45:50 +0200 Subject: [PATCH 1/2] remove X-XSS header, resolves #5328 --- dojo/settings/settings.dist.py | 5 ----- dojo/settings/template-env | 3 --- 2 files changed, 8 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 84ae51656e4..fa694ecc1a1 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -30,7 +30,6 @@ DD_SESSION_EXPIRE_AT_BROWSER_CLOSE=(bool, False), DD_SESSION_COOKIE_AGE=(int, 1209600), # 14 days DD_CSRF_COOKIE_SECURE=(bool, False), - DD_SECURE_BROWSER_XSS_FILTER=(bool, True), DD_SECURE_CONTENT_TYPE_NOSNIFF=(bool, True), DD_TIME_ZONE=(str, 'UTC'), DD_LANG=(str, 'en-us'), @@ -544,10 +543,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param # (except for those URLs matching a regular expression listed in SECURE_REDIRECT_EXEMPT). SECURE_SSL_REDIRECT = env('DD_SECURE_SSL_REDIRECT') -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# mode=block header on all responses that do not already have it. -SECURE_BROWSER_XSS_FILTER = env('DD_SECURE_BROWSER_XSS_FILTER') - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; SECURE_CONTENT_TYPE_NOSNIFF = env('DD_SECURE_CONTENT_TYPE_NOSNIFF') diff --git a/dojo/settings/template-env b/dojo/settings/template-env index 102ff1c8cef..ca068a10dc9 100644 --- a/dojo/settings/template-env +++ b/dojo/settings/template-env @@ -43,9 +43,6 @@ DD_WHITENOISE=True # Whether to use a secure cookie for the CSRF cookie. # DD_CSRF_COOKIE_SECURE=False -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# DD_SECURE_BROWSER_XSS_FILTER=True - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; # DD_SECURE_CONTENT_TYPE_NOSNIFF=True From ee7e070c7f5fbf617940f6740c94f483bdfadf77 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Sat, 23 Oct 2021 22:45:50 +0200 Subject: [PATCH 2/2] remove X-XSS header, resolves #5328 --- dojo/settings/settings.dist.py | 5 ----- dojo/settings/template-env | 3 --- 2 files changed, 8 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 84ae51656e4..fa694ecc1a1 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -30,7 +30,6 @@ DD_SESSION_EXPIRE_AT_BROWSER_CLOSE=(bool, False), DD_SESSION_COOKIE_AGE=(int, 1209600), # 14 days DD_CSRF_COOKIE_SECURE=(bool, False), - DD_SECURE_BROWSER_XSS_FILTER=(bool, True), DD_SECURE_CONTENT_TYPE_NOSNIFF=(bool, True), DD_TIME_ZONE=(str, 'UTC'), DD_LANG=(str, 'en-us'), @@ -544,10 +543,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param # (except for those URLs matching a regular expression listed in SECURE_REDIRECT_EXEMPT). SECURE_SSL_REDIRECT = env('DD_SECURE_SSL_REDIRECT') -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# mode=block header on all responses that do not already have it. -SECURE_BROWSER_XSS_FILTER = env('DD_SECURE_BROWSER_XSS_FILTER') - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; SECURE_CONTENT_TYPE_NOSNIFF = env('DD_SECURE_CONTENT_TYPE_NOSNIFF') diff --git a/dojo/settings/template-env b/dojo/settings/template-env index 102ff1c8cef..ca068a10dc9 100644 --- a/dojo/settings/template-env +++ b/dojo/settings/template-env @@ -43,9 +43,6 @@ DD_WHITENOISE=True # Whether to use a secure cookie for the CSRF cookie. # DD_CSRF_COOKIE_SECURE=False -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# DD_SECURE_BROWSER_XSS_FILTER=True - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; # DD_SECURE_CONTENT_TYPE_NOSNIFF=True