Closed Bug 1090116 Opened 11 years ago Closed 11 years ago

X-XSS-Protection

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Platform:
x86_64
Windows 7
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: Hiqureshi012, Assigned: ygjb)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141011015303 Steps to reproduce: X-XSS-Protection Header missing on mozila.org. Actual results: This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header. Expected results: EXAMPLE: X-XSS-Protection: 1; mode=block
Component: General → Security Assurance: Operations
Product: Core → mozilla.org
Version: 33 Branch → other
Assignee: nobody → yboily
Component: Security Assurance: Operations → Security Assurance: Applications
X-XSS-Protection is only a safety-belt and it missing is not a security vulnerability in itself. But please do report if you manage to find some breakage because we do not send this header (which we by the way do not even support in our own browser).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.