I agree. The time has come to remove it as it offers little protection, and it's easy to add back if you have the requirement.
Two more data points: securityheaders.com no longer gives you points for setting the header, and caniuse.com data ( https://caniuse.com/mdn-http_headers_x-xss-protection ) shows 20.4% browser support globally, mostly through Safari. On Mon, 5 Apr 2021 at 14:46, Tim Graham <timogra...@gmail.com> wrote: > Hi, I think this setting and its functionality could be removed without a > deprecation. > > Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP > header anymore. Although the setting offers little practical benefit, you > may still want to set the header if you support older browsers." > > https://docs.djangoproject.com/en/3.2/ref/settings/#secure-browser-xss-filter > > According to Mozilla's docs, the header is supported by IE8 and Safari. > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection > > In Django 3.0, the system check that suggested using this setting was > removed: https://code.djangoproject.com/ticket/30680. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/bb6d7e16-7f8a-4c20-a3a6-4ebe3b2f05c2n%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/bb6d7e16-7f8a-4c20-a3a6-4ebe3b2f05c2n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1ivhC_rOO%3DsVXG6MGVQKZdeRqs8vCrVFtWKKkVEySKfw%40mail.gmail.com.
