This is an automated email from the ASF dual-hosted git repository.
sarutak pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new def2df42001e [SPARK-57904][UI] Change default value of
`spark.ui.xXssProtection` to `0`
def2df42001e is described below
commit def2df42001e202430651c0fb01a7d0d3b7074f2
Author: Kousuke Saruta <[email protected]>
AuthorDate: Fri Jul 3 21:27:37 2026 +0900
[SPARK-57904][UI] Change default value of `spark.ui.xXssProtection` to `0`
### What changes were proposed in this pull request?
This PR changes the default value of `spark.ui.xXssProtection` from `1;
mode=block` to `0`.
### Why are the changes needed?
The `X-XSS-Protection` header controls the browser's built-in XSS Auditor.
However, the XSS Auditor has been deprecated and removed from modern browsers:
- **Chrome**: Removed in Chrome 78 (2019)
- **Edge**: Removed after migrating to Chromium
- **Firefox**: Never implemented
In browsers that still support it (Safari), the XSS Auditor can introduce
**side-channel vulnerabilities** — attackers can exploit the filter's behavior
to leak page content. This is why the Chrome team removed it entirely rather
than just disabling it by default.
Setting the value to `0` explicitly disables the XSS Auditor in Safari,
eliminating this attack surface. MDN and OWASP both recommend either `0` or not
sending the header at all.
For modern XSS protection, `spark.ui.contentSecurityPolicy.enabled` should
be used instead.
References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
-
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
### Does this PR introduce _any_ user-facing change?
Yes. The `X-XSS-Protection` response header value changes from `1;
mode=block` to `0`. This has no effect on Chrome, Edge, or Firefox (which have
already removed XSS Auditor support). In Safari, this disables the XSS Auditor,
which is a security improvement. To restore the legacy behavior, set
`spark.ui.xXssProtection` to `1; mode=block`.
### How was this patch tested?
A new test case was added to `HttpSecurityFilterSuite` to verify the
default value.
### Was this patch authored or co-authored using generative AI tooling?
Kiro CLI / Claude
Closes #56973 from sarutak/deprecate-x-xss-protection.
Authored-by: Kousuke Saruta <[email protected]>
Signed-off-by: Kousuke Saruta <[email protected]>
---
.../main/scala/org/apache/spark/internal/config/UI.scala | 7 +++++--
.../scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala | 13 +++++++++++++
docs/core-migration-guide.md | 2 ++
docs/security.md | 10 ++++++----
4 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/core/src/main/scala/org/apache/spark/internal/config/UI.scala
b/core/src/main/scala/org/apache/spark/internal/config/UI.scala
index 012f9a0bada7..fe8d7ef4b273 100644
--- a/core/src/main/scala/org/apache/spark/internal/config/UI.scala
+++ b/core/src/main/scala/org/apache/spark/internal/config/UI.scala
@@ -119,10 +119,13 @@ private[spark] object UI {
.createWithDefault(true)
val UI_X_XSS_PROTECTION = ConfigBuilder("spark.ui.xXssProtection")
- .doc("Value for HTTP X-XSS-Protection response header")
+ .doc("Value for HTTP X-XSS-Protection response header. The default is '0'
which disables " +
+ "the browser's XSS Auditor. The XSS Auditor has been removed from Chrome
and Edge, " +
+ "and was never implemented in Firefox. It can introduce side-channel
vulnerabilities " +
+ "in browsers that still support it (Safari). Use Content-Security-Policy
instead.")
.version("2.3.0")
.stringConf
- .createWithDefaultString("1; mode=block")
+ .createWithDefaultString("0")
val UI_X_CONTENT_TYPE_OPTIONS =
ConfigBuilder("spark.ui.xContentTypeOptions.enabled")
.doc("Set to 'true' for setting X-Content-Type-Options HTTP response
header to 'nosniff'")
diff --git
a/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
b/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
index 776f2e4496cc..0892c0e3ffc1 100644
--- a/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
+++ b/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
@@ -163,6 +163,19 @@ class HttpSecurityFilterSuite extends SparkFunSuite {
verify(res, times(0)).setHeader(meq("Content-Security-Policy"), any())
}
+ test("X-XSS-Protection defaults to 0") {
+ val conf = new SparkConf(false)
+ val secMgr = new SecurityManager(conf)
+ val req = mockRequest()
+ val res = mock(classOf[HttpServletResponse])
+ val chain = mock(classOf[FilterChain])
+
+ val filter = new HttpSecurityFilter(conf, secMgr)
+ filter.doFilter(req, res, chain)
+
+ verify(res).setHeader(meq("X-XSS-Protection"), meq("0"))
+ }
+
test("doAs impersonation") {
val conf = new SparkConf(false)
.set(ACLS_ENABLE, true)
diff --git a/docs/core-migration-guide.md b/docs/core-migration-guide.md
index f42d34dfeffe..d6ce5523f696 100644
--- a/docs/core-migration-guide.md
+++ b/docs/core-migration-guide.md
@@ -30,6 +30,8 @@ license: |
- Since Spark 4.3, Spark sets `allowPrivilegeEscalation` to `false` on the
driver and executor containers' security context by default. To restore the
legacy behavior, you can set
`spark.kubernetes.securityContext.allowPrivilegeEscalation` to `true`.
+- Since Spark 4.3, the default value of `spark.ui.xXssProtection` has been
changed from `1; mode=block` to `0`. The XSS Auditor has been removed from
Chrome and Edge, and was never implemented in Firefox. It can introduce
side-channel vulnerabilities in browsers that still support it (Safari). To
restore the legacy behavior, you can set `spark.ui.xXssProtection` to `1;
mode=block`. For modern XSS protection, consider enabling
`spark.ui.contentSecurityPolicy.enabled`.
+
## Upgrading from Core 4.1 to 4.2
- Since Spark 4.2, Spark Master REST API uses Java 21 virtual threads by
default when running on Java 21 or later. To restore the legacy behavior, you
can set `spark.master.rest.virtualThread.enabled` to `false`.
diff --git a/docs/security.md b/docs/security.md
index b3743d9a1b0a..9e28352b2010 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -766,12 +766,14 @@ Security.
<thead><tr><th>Property Name</th><th>Default</th><th>Meaning</th><th>Since
Version</th></tr></thead>
<tr>
<td><code>spark.ui.xXssProtection</code></td>
- <td><code>1; mode=block</code></td>
+ <td><code>0</code></td>
<td>
- Value for HTTP X-XSS-Protection response header. You can choose
appropriate value
- from below:
+ Value for HTTP X-XSS-Protection response header. The default is
<code>0</code> which
+ disables the browser's XSS Auditor. The XSS Auditor has been removed from
Chrome and
+ Edge, and was never implemented in Firefox. In browsers that still support
it (Safari),
+ it can introduce side-channel vulnerabilities. Use Content-Security-Policy
instead.
<ul>
- <li><code>0</code> (Disables XSS filtering)</li>
+ <li><code>0</code> (Disables XSS filtering. Recommended.)</li>
<li><code>1</code> (Enables XSS filtering. If a cross-site scripting
attack is detected,
the browser will sanitize the page.)</li>
<li><code>1; mode=block</code> (Enables XSS filtering. The browser will
prevent rendering
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]