mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.

Browse Source
This commit is contained in:
Tim Graham
2021-04-23 08:59:35 -04:00
committed by Mariusz Felisiak
parent 8bcb00858e
commit 54da6e2ac2
8 changed files with 23 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/releases/4.0.txt
View File

@@ -357,6 +357,24 @@ subdomains by setting :setting:`CSRF_COOKIE_DOMAIN` (or
:setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to
a value starting with a dot.
``SecurityMiddleware`` no longer sets the ``X-XSS-Protection`` header
---------------------------------------------------------------------
The :class:`~django.middleware.security.SecurityMiddleware` no longer sets the
``X-XSS-Protection`` header if the ``SECURE_BROWSER_XSS_FILTER`` setting is
``True``. The setting is removed.
Most modern browsers don't honor the ``X-XSS-Protection`` HTTP header. You can
use Content-Security-Policy_ without allowing ``'unsafe-inline'`` scripts
instead.
If you want to support legacy browsers and set the header, use this line in a
custom middleware::
response.headers.setdefault('X-XSS-Protection', '1; mode=block')
.. _Content-Security-Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Miscellaneous
-------------