User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171112125346 Steps to reproduce: • Clone and run this Rails repo—it's a demo of a deliberately unreliable webapp for demonstration purposes. https://github.com/sqreen/VulnerableDemo • verify that Rails is by default emitting X-Xss-Protection: 1; mode=block at http://localhost:3000 • Open http://localhost:3000 . The search form has a reflected XSS vulnerability. Exploit it by searching for "><script>alert()</script> (you know the drill) Actual results: Firefox fires the alert() in the reflected XSS Expected results: Absolutely nothing. Firefox should not have executed that script.
We don't currently support that header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#Browser_compatibility . This doesn't need to be security-sensitive given that this is publicly documented and the header is meant to be defense-in-depth, and the links you've provided are demo ones (rather than, say, actually vulnerable "real" webapps...). I would suggest using CSP in addition to whatever else you have right now, as that will give you more finegrained control over what script is and isn't allowed to do on your site.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Product: Firefox → Core
Summary: Firefox 57 does not reliably honor x-xss-protection header → Firefox 57 should support x-xss-protection header
Looks like this was already on file.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: xssfilter
You need to log in before you can comment on or make changes to this bug.