We should start sending the X-XSS-Protection header with most requests to help protect against XSS attacks. Right now, this is only supported by IE8+ and WebKit (Safari and Chrome), but Firefox is looking to add support for this in bug 528661. Specifically, we want to add: X-XSS-Protection: 1; mode=block Details at http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
Created attachment 554736 [details] [diff] [review] patch - v1 Simple patch to add the header to all requests. Is there anywhere we wouldn't want to send it? Do these headers get included for patches, or do I need to add it there as well? Specifically, Bugzilla/Attachment/PatchReader.pm and attachment.cgi.
I'm impressed that we need to tell a browser to block XSS...
(In reply to Frédéric Buclin from comment #3) > I'm impressed that we need to tell a browser to block XSS... No, we're telling the browser to completely block the XSS rather than attempting to rewrite it into something safer. By default, IE and WebKit attempt to rewrite some simple XSS vulnerabilities into something safe. However, it's better (from a security standpoint) to outright block the possible XSS (and not try to rewrite it to be "safer").
It only blocks things if you attempt to actually load them in the browser, right? So security researchers could still load PoCs as local files after downloading them? If so, I'm totally in support of this and totally agree that we should add it everywhere. It's funny, actually, I was just thinking we should add this header; thanks for filing the bug and writing the patch, reed! :-)
Comment on attachment 554736 [details] [diff] [review] patch - v1 Looks right to me!
LpSolit, this sound good to you?
See my question in comment #2 as well... I think we probably need to add it there, too.
From what I can see, this header is passed even when viewing attachments, both in Diff and Raw mode. So this patch seems fine as is.
I'd like to add this to 4.2 as well, if possible.
mkanat said no.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/CGI.pm Committed revision 8010.
bmo/4.0: Committing to: bzr+ssh://email@example.com/bmo/4.0 modified Bugzilla/CGI.pm Committed revision 7953. bmo/4.2: Committing to: bzr+ssh://firstname.lastname@example.org/bmo/4.2 modified Bugzilla/CGI.pm Committed revision 7953.
(In reply to David Lawrence [:dkl] from comment #13) > bmo/4.0: > Committing to: bzr+ssh://email@example.com/bmo/4.0 > modified Bugzilla/CGI.pm > Committed revision 7953. Note: This commit has been backed out pending further testing. dkl
A year and several IE-specific security issues later, I'd like to try again for 4.2 backport. Note that this feature has been supported by IE since 2008, so it's not some new radical thing. Chrome has supported it for a while as well, and Firefox is looking to add it soon in bug 528661. I've backported it to bmo/4.0 as well.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/ modified Bugzilla/CGI.pm Committed revision 8138.
Added to relnotes for 4.4 and 4.2.4.