Fix #19

dvershinin · dvershinin · commit bf02dd710a9c · 2023-09-05T23:45:14.000+07:00
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ Accept-Ranges: bytes
 Connection: keep-alive
 <b>X-Frame-Options: SAMEORIGIN
 X-Content-Type-Options: nosniff
-X-XSS-Protection: 1; mode=block
+X-XSS-Protection: 0
 Referrer-Policy: strict-origin-when-cross-origin
 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload</b>
 </pre>
@@ -70,7 +70,7 @@ start NGINX with the module to avoid having your domain preloaded by Chrome.
 Enables or disables applying security headers. The default set includes:
 
 * `X-Frame-Options: SAMEORIGIN`
-* `X-XSS-Protection: 1; mode=block`
+* `X-XSS-Protection: 0`
 * `Referrer-Policy: strict-origin-when-cross-origin`
 * `X-Content-Type-Options: nosniff`
 
@@ -105,12 +105,15 @@ A special value `omit` disables sending a particular header by the module (usefu
 ### `security_headers_xss`
 
 - **syntax**: `security_headers_xss off | on | block | omit`
-- **default**: `block`
+- **default**: `off`
 - **context**: `http`, `server`, `location`
 
 Controls `X-XSS-Protection` header. 
 Special `omit` value will disable sending the header by the module. 
 The `off` value is for disabling XSS protection: `X-XSS-Protection: 0`.
+This is the default because 
+[modern browsers do not support it](https://github.com/GetPageSpeed/ngx_security_headers/issues/19) and where it is 
+supported, it introduces vulnerabilities.
 
 ### `security_headers_frame`
 
diff --git a/src/ngx_http_security_headers_module.c b/src/ngx_http_security_headers_module.c
@@ -366,7 +366,7 @@ ngx_http_security_headers_merge_loc_conf(ngx_conf_t *cf, void *parent,
     }
 
     ngx_conf_merge_uint_value(conf->xss, prev->xss,
-                              NGX_HTTP_XSS_HEADER_BLOCK);
+                              NGX_HTTP_XSS_HEADER_OFF);
     ngx_conf_merge_uint_value(conf->fo, prev->fo,
                               NGX_HTTP_FO_HEADER_SAME);
     ngx_conf_merge_uint_value(conf->rp, prev->rp,
diff --git a/t/headers.t b/t/headers.t
@@ -35,7 +35,7 @@ hello world
 content-type: text/plain; charset=utf-8
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 1; mode=block
+x-xss-protection: 0
 
 
 
@@ -116,7 +116,7 @@ hello world
 --- response_headers
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 1; mode=block
+x-xss-protection: 0
 referrer-policy: unsafe-url
 
 
@@ -141,7 +141,7 @@ hello world
 --- response_headers
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 1; mode=block
+x-xss-protection: 0
 referrer-policy: origin
 
 === TEST 8: X-Frame-Options should not be sent for CSS (even when encoding specified)
@@ -159,4 +159,4 @@ referrer-policy: origin
 hello world
 --- response_headers
 content-type: text/css; charset=utf-8
-!x-frame-options
+!x-frame-options

Original file line number	Diff line number	Diff line change
`@@ -366,7 +366,7 @@ ngx_http_security_headers_merge_loc_conf(ngx_conf_t cf, void parent,`
`366`	`366`	`}`
`367`	`367`
`368`	`368`	`ngx_conf_merge_uint_value(conf->xss, prev->xss,`
`369`		`- NGX_HTTP_XSS_HEADER_BLOCK);`
	`369`	`+ NGX_HTTP_XSS_HEADER_OFF);`
`370`	`370`	`ngx_conf_merge_uint_value(conf->fo, prev->fo,`
`371`	`371`	`NGX_HTTP_FO_HEADER_SAME);`
`372`	`372`	`ngx_conf_merge_uint_value(conf->rp, prev->rp,`