Closed
Bug 680771
Opened 13 years ago
Closed 12 years ago
Send X-XSS-Protection header for XSS prevention/blocking
Categories
(Bugzilla :: Bugzilla-General, enhancement)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: reed, Assigned: reed)
Details
(Whiteboard: [wanted-bmo][infrasec:bestpractice][ws:none])
Attachments
(1 file)
|
457 bytes,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
We should start sending the X-XSS-Protection header with most requests to help protect against XSS attacks. Right now, this is only supported by IE8+ and WebKit (Safari and Chrome), but Firefox is looking to add support for this in bug 528661.
Specifically, we want to add:
X-XSS-Protection: 1; mode=block
Details at http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
|
Assignee | |
Comment 1•13 years ago
|
||
|
|
Assignee | |
Comment 2•13 years ago
|
||
Simple patch to add the header to all requests. Is there anywhere we wouldn't want to send it?
Do these headers get included for patches, or do I need to add it there as well? Specifically, Bugzilla/Attachment/PatchReader.pm and attachment.cgi.
Assignee: general → reed
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: [wanted-bmo] → [wanted-bmo][infrasec:bestpractice][ws:none]
|
||
Comment 3•13 years ago
|
||
I'm impressed that we need to tell a browser to block XSS...
|
|
Assignee | |
Comment 4•13 years ago
|
||
(In reply to Frédéric Buclin from comment #3)
> I'm impressed that we need to tell a browser to block XSS...
No, we're telling the browser to completely block the XSS rather than attempting to rewrite it into something safer. By default, IE and WebKit attempt to rewrite some simple XSS vulnerabilities into something safe. However, it's better (from a security standpoint) to outright block the possible XSS (and not try to rewrite it to be "safer").
|
||
Comment 5•13 years ago
|
||
It only blocks things if you attempt to actually load them in the browser, right? So security researchers could still load PoCs as local files after downloading them?
If so, I'm totally in support of this and totally agree that we should add it everywhere. It's funny, actually, I was just thinking we should add this header; thanks for filing the bug and writing the patch, reed! :-)
|
|
||
Updated•13 years ago
|
Target Milestone: --- → Bugzilla 5.0
|
|
||
Comment 6•13 years ago
|
||
Comment on attachment 554736 [details] [diff] [review]
patch - v1
Looks right to me!
Attachment #554736 -
Flags: review+
|
|
Assignee | |
Comment 8•13 years ago
|
||
See my question in comment #2 as well... I think we probably need to add it there, too.
|
|
||
Comment 9•13 years ago
|
||
From what I can see, this header is passed even when viewing attachments, both in Diff and Raw mode. So this patch seems fine as is.
Flags: approval? → approval+
|
|
Assignee | |
Comment 10•13 years ago
|
||
I'd like to add this to 4.2 as well, if possible.
Flags: approval4.2?
Target Milestone: Bugzilla 5.0 → Bugzilla 4.2
|
|
Assignee | |
Comment 11•13 years ago
|
||
mkanat said no.
Flags: approval4.2?
Target Milestone: Bugzilla 4.2 → Bugzilla 5.0
|
|
Assignee | |
Comment 12•13 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/CGI.pm
Committed revision 8010.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 13•13 years ago
|
||
bmo/4.0:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
modified Bugzilla/CGI.pm
Committed revision 7953.
bmo/4.2:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
modified Bugzilla/CGI.pm
Committed revision 7953.
|
|
||
Comment 14•13 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #13)
> bmo/4.0:
> Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
> modified Bugzilla/CGI.pm
> Committed revision 7953.
Note: This commit has been backed out pending further testing.
dkl
|
|
Assignee | |
Comment 15•12 years ago
|
||
A year and several IE-specific security issues later, I'd like to try again for 4.2 backport. Note that this feature has been supported by IE since 2008, so it's not some new radical thing. Chrome has supported it for a while as well, and Firefox is looking to add it soon in bug 528661. I've backported it to bmo/4.0 as well.
Status: RESOLVED → REOPENED
Flags: approval4.2?
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.2
|
|
||
Updated•12 years ago
|
Flags: approval4.2? → approval4.2+
|
|
Assignee | |
Comment 16•12 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/CGI.pm
Committed revision 8138.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•