Firefox 57 should support x-xss-protection header

RESOLVED DUPLICATE of bug 528661

Status

()

defect
RESOLVED DUPLICATE of bug 528661
2 years ago
2 years ago

People

(Reporter: degoodmanwilson, Unassigned)

Tracking

57 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346

Steps to reproduce:

• Clone and run this Rails repo—it's a demo of a deliberately unreliable webapp for demonstration purposes. https://github.com/sqreen/VulnerableDemo
• verify that Rails is by default emitting X-Xss-Protection: 1; mode=block at http://localhost:3000
• Open http://localhost:3000 . The search form has a reflected XSS vulnerability. Exploit it by searching for "><script>alert()</script> (you know the drill)



Actual results:

Firefox fires the alert() in the reflected XSS


Expected results:

Absolutely nothing. Firefox should not have executed that script.
We don't currently support that header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#Browser_compatibility .

This doesn't need to be security-sensitive given that this is publicly documented and the header is meant to be defense-in-depth, and the links you've provided are demo ones (rather than, say, actually vulnerable "real" webapps...).

I would suggest using CSP in addition to whatever else you have right now, as that will give you more finegrained control over what script is and isn't allowed to do on your site.
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Product: Firefox → Core
Summary: Firefox 57 does not reliably honor x-xss-protection header → Firefox 57 should support x-xss-protection header
Looks like this was already on file.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: xssfilter
You need to log in before you can comment on or make changes to this bug.