Last Comment Bug 680771 - Send X-XSS-Protection header for XSS prevention/blocking
: Send X-XSS-Protection header for XSS prevention/blocking
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: 4.0.2
: All All
: -- enhancement (vote)
: Bugzilla 4.2
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Depends on:
  Show dependency treegraph
Reported: 2011-08-21 10:32 PDT by Reed Loden [:reed] (use needinfo?)
Modified: 2013-11-06 04:42 PST (History)
9 users (show)
LpSolit: approval+
LpSolit: approval4.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch - v1 (457 bytes, patch)
2011-08-21 10:45 PDT, Reed Loden [:reed] (use needinfo?)
mkanat: review+
Details | Diff | Splinter Review

Description Reed Loden [:reed] (use needinfo?) 2011-08-21 10:32:19 PDT
We should start sending the X-XSS-Protection header with most requests to help protect against XSS attacks. Right now, this is only supported by IE8+ and WebKit (Safari and Chrome), but Firefox is looking to add support for this in bug 528661.

Specifically, we want to add:
X-XSS-Protection: 1; mode=block

Details at
Comment 1 Reed Loden [:reed] (use needinfo?) 2011-08-21 10:41:52 PDT
Comment 2 Reed Loden [:reed] (use needinfo?) 2011-08-21 10:45:11 PDT
Created attachment 554736 [details] [diff] [review]
patch - v1

Simple patch to add the header to all requests. Is there anywhere we wouldn't want to send it?

Do these headers get included for patches, or do I need to add it there as well? Specifically, Bugzilla/Attachment/ and attachment.cgi.
Comment 3 Frédéric Buclin 2011-08-21 11:12:43 PDT
I'm impressed that we need to tell a browser to block XSS...
Comment 4 Reed Loden [:reed] (use needinfo?) 2011-08-21 11:19:28 PDT
(In reply to Frédéric Buclin from comment #3)
> I'm impressed that we need to tell a browser to block XSS...

No, we're telling the browser to completely block the XSS rather than attempting to rewrite it into something safer. By default, IE and WebKit attempt to rewrite some simple XSS vulnerabilities into something safe. However, it's better (from a security standpoint) to outright block the possible XSS (and not try to rewrite it to be "safer").
Comment 5 Max Kanat-Alexander 2011-08-25 15:22:34 PDT
It only blocks things if you attempt to actually load them in the browser, right? So security researchers could still load PoCs as local files after downloading them?

If so, I'm totally in support of this and totally agree that we should add it everywhere. It's funny, actually, I was just thinking we should add this header; thanks for filing the bug and writing the patch, reed! :-)
Comment 6 Max Kanat-Alexander 2011-08-25 15:23:24 PDT
Comment on attachment 554736 [details] [diff] [review]
patch - v1

Looks right to me!
Comment 7 Max Kanat-Alexander 2011-08-25 15:24:15 PDT
LpSolit, this sound good to you?
Comment 8 Reed Loden [:reed] (use needinfo?) 2011-08-25 15:53:08 PDT
See my question in comment #2 as well... I think we probably need to add it there, too.
Comment 9 Frédéric Buclin 2011-11-21 14:04:37 PST
From what I can see, this header is passed even when viewing attachments, both in Diff and Raw mode. So this patch seems fine as is.
Comment 10 Reed Loden [:reed] (use needinfo?) 2011-11-21 14:13:29 PST
I'd like to add this to 4.2 as well, if possible.
Comment 11 Reed Loden [:reed] (use needinfo?) 2011-11-21 14:14:44 PST
mkanat said no.
Comment 12 Reed Loden [:reed] (use needinfo?) 2011-11-21 14:16:13 PST
Committing to: bzr+ssh://
modified Bugzilla/
Committed revision 8010.
Comment 13 David Lawrence [:dkl] 2011-11-21 14:53:52 PST
Committing to: bzr+ssh://
modified Bugzilla/
Committed revision 7953.

Committing to: bzr+ssh://
modified Bugzilla/
Committed revision 7953.
Comment 14 David Lawrence [:dkl] 2011-11-22 07:37:37 PST
(In reply to David Lawrence [:dkl] from comment #13)
> bmo/4.0:
> Committing to: bzr+ssh://
> modified Bugzilla/
> Committed revision 7953.

Note: This commit has been backed out pending further testing.

Comment 15 Reed Loden [:reed] (use needinfo?) 2012-09-09 11:58:05 PDT
A year and several IE-specific security issues later, I'd like to try again for 4.2 backport. Note that this feature has been supported by IE since 2008, so it's not some new radical thing. Chrome has supported it for a while as well, and Firefox is looking to add it soon in bug 528661. I've backported it to bmo/4.0 as well.
Comment 16 Reed Loden [:reed] (use needinfo?) 2012-09-12 16:54:08 PDT
Committing to: bzr+ssh://
modified Bugzilla/
Committed revision 8138.
Comment 17 Frédéric Buclin 2012-11-01 11:27:47 PDT
Added to relnotes for 4.4 and 4.2.4.

Note You need to log in before you can comment on or make changes to this bug.