This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new d61570ec0f Fix BZ 66622 - remove xssProtectionEnabled due to no
browser support
d61570ec0f is described below
commit d61570ec0f727559957ff348146f09b15d713dc0
Author: Mark Thomas <[email protected]>
AuthorDate: Wed May 31 18:20:01 2023 +0100
Fix BZ 66622 - remove xssProtectionEnabled due to no browser support
---
.../catalina/filters/HttpHeaderSecurityFilter.java | 20 --------------------
webapps/docs/changelog.xml | 5 +++++
webapps/docs/config/filter.xml | 8 --------
3 files changed, 5 insertions(+), 28 deletions(-)
diff --git a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
index d4870a6214..3302a1cd2a 100644
--- a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
+++ b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
@@ -60,11 +60,6 @@ public class HttpHeaderSecurityFilter extends FilterBase {
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE =
"nosniff";
private boolean blockContentTypeSniffingEnabled = true;
- // Cross-site scripting filter protection
- private static final String XSS_PROTECTION_HEADER_NAME =
"X-XSS-Protection";
- private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
- private boolean xssProtectionEnabled = true;
-
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
@@ -116,11 +111,6 @@ public class HttpHeaderSecurityFilter extends FilterBase {
httpResponse.setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
}
-
- // cross-site scripting filter protection
- if (xssProtectionEnabled) {
- httpResponse.setHeader(XSS_PROTECTION_HEADER_NAME,
XSS_PROTECTION_HEADER_VALUE);
- }
}
chain.doFilter(request, response);
@@ -238,16 +228,6 @@ public class HttpHeaderSecurityFilter extends FilterBase {
}
- public boolean isXssProtectionEnabled() {
- return xssProtectionEnabled;
- }
-
-
- public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
- this.xssProtectionEnabled = xssProtectionEnabled;
- }
-
-
private enum XFrameOption {
DENY("DENY"), SAME_ORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ca43056856..cdfce35c9e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -149,6 +149,11 @@
<bug>66621</bug>: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
</fix>
+ <fix>
+ <bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting
+ from the <code>HttpHeaderSecurityFilter</code> as support for the
+ associated HTTP header has been removed from all major browsers.
(markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 617167d3e4..4ed22b776e 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -948,14 +948,6 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
default value of <code>true</code> will be used.</p>
</attribute>
- <attribute name="xssProtectionEnabled" required="false">
- <p>Should the header that enables the browser's cross-site scripting
- filter protection (<code>X-XSS-Protection: 1; mode=block</code>)
- be set on every response. If already present, the header
- will be replaced. If not specified, the default value of
- <code>true</code> will be used.</p>
- </attribute>
-
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
