680771 - Send X-XSS-Protection header for XSS prevention/blocking

Status: RESOLVED FIXED

(Bugzilla :: Bugzilla-General, enhancement)

Description

[Reed Loden [:reed]]

We should start sending the X-XSS-Protection header with most requests to help protect against XSS attacks. Right now, this is only supported by IE8+ and WebKit (Safari and Chrome), but Firefox is looking to add support for this in bug 528661.

Specifically, we want to add:
X-XSS-Protection: 1; mode=block

Details at http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

Comment 1

[Reed Loden [:reed]]

Also http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

Comment 2

[Reed Loden [:reed]]

Attachment: patch - v1

Simple patch to add the header to all requests. Is there anywhere we wouldn't want to send it?

Do these headers get included for patches, or do I need to add it there as well? Specifically, Bugzilla/Attachment/PatchReader.pm and attachment.cgi.

Comment 3

[Frédéric Buclin]

I'm impressed that we need to tell a browser to block XSS...

Comment 4

[Reed Loden [:reed]]

(In reply to Frédéric Buclin from comment #3)
> I'm impressed that we need to tell a browser to block XSS...

No, we're telling the browser to completely block the XSS rather than attempting to rewrite it into something safer. By default, IE and WebKit attempt to rewrite some simple XSS vulnerabilities into something safe. However, it's better (from a security standpoint) to outright block the possible XSS (and not try to rewrite it to be "safer").

Comment 5

[Max Kanat-Alexander]

It only blocks things if you attempt to actually load them in the browser, right? So security researchers could still load PoCs as local files after downloading them?

If so, I'm totally in support of this and totally agree that we should add it everywhere. It's funny, actually, I was just thinking we should add this header; thanks for filing the bug and writing the patch, reed! :-)

Comment 6

[Max Kanat-Alexander]

Comment on attachment 554736 [details] [diff] [review]
patch - v1

Looks right to me!

Comment 7

[Max Kanat-Alexander]

LpSolit, this sound good to you?

Comment 8

[Reed Loden [:reed]]

See my question in comment #2 as well... I think we probably need to add it there, too.

Comment 9

[Frédéric Buclin]

From what I can see, this header is passed even when viewing attachments, both in Diff and Raw mode. So this patch seems fine as is.

Comment 10

[Reed Loden [:reed]]

I'd like to add this to 4.2 as well, if possible.

Comment 11

[Reed Loden [:reed]]

mkanat said no.

Comment 12

[Reed Loden [:reed]]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/CGI.pm
Committed revision 8010.

Comment 13

[David Lawrence [:dkl]]

bmo/4.0:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
modified Bugzilla/CGI.pm
Committed revision 7953.

bmo/4.2:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
modified Bugzilla/CGI.pm
Committed revision 7953.

Comment 14

[David Lawrence [:dkl]]

(In reply to David Lawrence [:dkl] from comment #13)
> bmo/4.0:
> Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
> modified Bugzilla/CGI.pm
> Committed revision 7953.

Note: This commit has been backed out pending further testing.

dkl

Comment 15

[Reed Loden [:reed]]

A year and several IE-specific security issues later, I'd like to try again for 4.2 backport. Note that this feature has been supported by IE since 2008, so it's not some new radical thing. Chrome has supported it for a while as well, and Firefox is looking to add it soon in bug 528661. I've backported it to bmo/4.0 as well.

Comment 16

[Reed Loden [:reed]]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/CGI.pm
Committed revision 8138.

Comment 17

[Frédéric Buclin]

Added to relnotes for 4.4 and 4.2.4.