aboutsummaryrefslogtreecommitdiff
path: root/src/util.rs
diff options
context:
space:
mode:
authorDaniel García <[email protected]>2022-03-26 16:18:34 +0100
committerDaniel García <[email protected]>2022-03-26 16:18:34 +0100
commit81f0c2b0e8b9f2b7cdb14a45047013806b34d815 (patch)
tree76027f430383f0492c69edc19bc5b6bdb64415d9 /src/util.rs
parent80d8aa72394bb9897f9c03b94ae65dcfa7110d67 (diff)
parent27d4b713f6281e531d9622de09373adf7170384b (diff)
downloadvaultwarden-81f0c2b0e8b9f2b7cdb14a45047013806b34d815.tar.gz
vaultwarden-81f0c2b0e8b9f2b7cdb14a45047013806b34d815.zip
Merge branch 'x-xss-protection' of https://github.com/Wonderfall/vaultwarden into Wonderfall-x-xss-protection
Diffstat (limited to 'src/util.rs')
-rw-r--r--src/util.rs3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/util.rs b/src/util.rs
index ae2639fb..677e5860 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -34,7 +34,8 @@ impl Fairing for AppHeaders {
res.set_raw_header("Referrer-Policy", "same-origin");
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
res.set_raw_header("X-Content-Type-Options", "nosniff");
- res.set_raw_header("X-XSS-Protection", "1; mode=block");
+ // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP
+ res.set_raw_header("X-XSS-Protection", "0");
let csp = format!(
// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US