Closed Bug 1501215 Opened 2 years ago Closed 5 months ago

Would not say "unnecessary"

Categories

(Developer Documentation Graveyard :: General, enhancement, P3)

All
Other
enhancement

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: mauro.diblasi, Unassigned)

References

()

Details

:: Developer Documentation Request

      Request Type: Correction
     Gecko Version: unspecified
 Technical Contact: 

:: Details

"The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP."

I would not say it is "largely unnecessary": there are notorious CMS engines that let you install plugins and themes with lot of inline JS, making a strong CSP difficult to implement a maintain (maybe the CMS core itself contains inline JS). It's not only an old browser problem and I think the provided description is a little reductive, at least
Priority: -- → P3
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.