Send X-XSS-Protection header for XSS prevention/blocking

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Bugzilla-General
--
enhancement
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: reed, Assigned: reed)

Tracking

4.0.2
Bugzilla 4.2
Bug Flags:
approval +
approval4.2 +

Details

(Whiteboard: [wanted-bmo][infrasec:bestpractice][ws:none])

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
We should start sending the X-XSS-Protection header with most requests to help protect against XSS attacks. Right now, this is only supported by IE8+ and WebKit (Safari and Chrome), but Firefox is looking to add support for this in bug 528661.

Specifically, we want to add:
X-XSS-Protection: 1; mode=block

Details at http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
(Assignee)

Comment 1

6 years ago
Also http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
(Assignee)

Comment 2

6 years ago
Created attachment 554736 [details] [diff] [review]
patch - v1

Simple patch to add the header to all requests. Is there anywhere we wouldn't want to send it?

Do these headers get included for patches, or do I need to add it there as well? Specifically, Bugzilla/Attachment/PatchReader.pm and attachment.cgi.
Assignee: general → reed
Status: NEW → ASSIGNED
(Assignee)

Updated

6 years ago
Whiteboard: [wanted-bmo] → [wanted-bmo][infrasec:bestpractice][ws:none]

Comment 3

6 years ago
I'm impressed that we need to tell a browser to block XSS...
(Assignee)

Comment 4

6 years ago
(In reply to Frédéric Buclin from comment #3)
> I'm impressed that we need to tell a browser to block XSS...

No, we're telling the browser to completely block the XSS rather than attempting to rewrite it into something safer. By default, IE and WebKit attempt to rewrite some simple XSS vulnerabilities into something safe. However, it's better (from a security standpoint) to outright block the possible XSS (and not try to rewrite it to be "safer").

Comment 5

6 years ago
It only blocks things if you attempt to actually load them in the browser, right? So security researchers could still load PoCs as local files after downloading them?

If so, I'm totally in support of this and totally agree that we should add it everywhere. It's funny, actually, I was just thinking we should add this header; thanks for filing the bug and writing the patch, reed! :-)

Updated

6 years ago
Target Milestone: --- → Bugzilla 5.0

Comment 6

6 years ago
Comment on attachment 554736 [details] [diff] [review]
patch - v1

Looks right to me!
Attachment #554736 - Flags: review+

Comment 7

6 years ago
LpSolit, this sound good to you?
Flags: approval?
(Assignee)

Comment 8

6 years ago
See my question in comment #2 as well... I think we probably need to add it there, too.

Comment 9

6 years ago
From what I can see, this header is passed even when viewing attachments, both in Diff and Raw mode. So this patch seems fine as is.
Flags: approval? → approval+
(Assignee)

Comment 10

6 years ago
I'd like to add this to 4.2 as well, if possible.
Flags: approval4.2?
Target Milestone: Bugzilla 5.0 → Bugzilla 4.2
(Assignee)

Comment 11

6 years ago
mkanat said no.
Flags: approval4.2?
Target Milestone: Bugzilla 4.2 → Bugzilla 5.0
(Assignee)

Comment 12

6 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/CGI.pm
Committed revision 8010.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
bmo/4.0:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
modified Bugzilla/CGI.pm
Committed revision 7953.

bmo/4.2:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
modified Bugzilla/CGI.pm
Committed revision 7953.
(In reply to David Lawrence [:dkl] from comment #13)
> bmo/4.0:
> Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
> modified Bugzilla/CGI.pm
> Committed revision 7953.

Note: This commit has been backed out pending further testing.

dkl

Updated

5 years ago
Keywords: relnote
(Assignee)

Comment 15

5 years ago
A year and several IE-specific security issues later, I'd like to try again for 4.2 backport. Note that this feature has been supported by IE since 2008, so it's not some new radical thing. Chrome has supported it for a while as well, and Firefox is looking to add it soon in bug 528661. I've backported it to bmo/4.0 as well.
Status: RESOLVED → REOPENED
Flags: approval4.2?
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.2

Updated

5 years ago
Flags: approval4.2? → approval4.2+
(Assignee)

Comment 16

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/CGI.pm
Committed revision 8138.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago5 years ago
Resolution: --- → FIXED

Comment 17

5 years ago
Added to relnotes for 4.4 and 4.2.4.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.