#32678: Remove SECURE_BROWSER_XSS_FILTER setting (X-XSS-Protection header
support)
-------------------------------------+-------------------------------------
Reporter: Tim | Owner: Tim Graham
Graham |
Type: | Status: assigned
Cleanup/optimization |
Component: HTTP | Version: dev
handling |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
As proposed on [https://groups.google.com/g/django-
developers/c/Y5ewyst1gbg/m/ciqn-pwLBAAJ django-developers], remove this
setting and its functionality without a deprecation.
Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP
header anymore. Although the setting offers little practical benefit, you
may still want to set the header if you support older browsers."
https://docs.djangoproject.com/en/3.2/ref/settings/#secure-browser-xss-
filter
According to Mozilla's docs, the header is supported by IE8 and Safari.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
In Django 3.0, the system check that suggested using this setting was
removed (#30680).
--
Ticket URL: <https://code.djangoproject.com/ticket/32678>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.bffb7a60e7a89c6f07527bc3abcc68a8%40djangoproject.com.
