This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new d61570ec0f Fix BZ 66622 - remove xssProtectionEnabled due to no browser support d61570ec0f is described below commit d61570ec0f727559957ff348146f09b15d713dc0 Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed May 31 18:20:01 2023 +0100 Fix BZ 66622 - remove xssProtectionEnabled due to no browser support --- .../catalina/filters/HttpHeaderSecurityFilter.java | 20 -------------------- webapps/docs/changelog.xml | 5 +++++ webapps/docs/config/filter.xml | 8 -------- 3 files changed, 5 insertions(+), 28 deletions(-) diff --git a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java index d4870a6214..3302a1cd2a 100644 --- a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java +++ b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java @@ -60,11 +60,6 @@ public class HttpHeaderSecurityFilter extends FilterBase { private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff"; private boolean blockContentTypeSniffingEnabled = true; - // Cross-site scripting filter protection - private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection"; - private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block"; - private boolean xssProtectionEnabled = true; - @Override public void init(FilterConfig filterConfig) throws ServletException { super.init(filterConfig); @@ -116,11 +111,6 @@ public class HttpHeaderSecurityFilter extends FilterBase { httpResponse.setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME, BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE); } - - // cross-site scripting filter protection - if (xssProtectionEnabled) { - httpResponse.setHeader(XSS_PROTECTION_HEADER_NAME, XSS_PROTECTION_HEADER_VALUE); - } } chain.doFilter(request, response); @@ -238,16 +228,6 @@ public class HttpHeaderSecurityFilter extends FilterBase { } - public boolean isXssProtectionEnabled() { - return xssProtectionEnabled; - } - - - public void setXssProtectionEnabled(boolean xssProtectionEnabled) { - this.xssProtectionEnabled = xssProtectionEnabled; - } - - private enum XFrameOption { DENY("DENY"), SAME_ORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM"); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index ca43056856..cdfce35c9e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,6 +149,11 @@ <bug>66621</bug>: Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock. (markt) </fix> + <fix> + <bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting + from the <code>HttpHeaderSecurityFilter</code> as support for the + associated HTTP header has been removed from all major browsers. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml index 617167d3e4..4ed22b776e 100644 --- a/webapps/docs/config/filter.xml +++ b/webapps/docs/config/filter.xml @@ -948,14 +948,6 @@ FINE: Request "/docs/config/manager.html" with response status "200" default value of <code>true</code> will be used.</p> </attribute> - <attribute name="xssProtectionEnabled" required="false"> - <p>Should the header that enables the browser's cross-site scripting - filter protection (<code>X-XSS-Protection: 1; mode=block</code>) - be set on every response. If already present, the header - will be replaced. If not specified, the default value of - <code>true</code> will be used.</p> - </attribute> - </attributes> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org