Closed
Bug 1501215
Opened 7 years ago
Closed 5 years ago
Would not say "unnecessary"
Categories
(Developer Documentation Graveyard :: General, enhancement, P3)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mauro.diblasi, Unassigned)
References
()
Details
:: Developer Documentation Request
Request Type: Correction
Gecko Version: unspecified
Technical Contact:
:: Details
"The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP."
I would not say it is "largely unnecessary": there are notorious CMS engines that let you install plugins and themes with lot of inline JS, making a strong CSP difficult to implement a maintain (maybe the CMS core itself contains inline JS). It's not only an old browser problem and I think the provided description is a little reductive, at least
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 1•5 years ago
|
||
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•