You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/05/31 17:27:32 UTC
[tomcat] branch 9.0.x updated: Fix 66622 - deprecate xssProtectionEnabled and change default to false
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 5bc5fd9895 Fix 66622 - deprecate xssProtectionEnabled and change default to false
5bc5fd9895 is described below
commit 5bc5fd98954d62bde9e7d2f90cbd254cf4af58a9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 31 18:25:55 2023 +0100
Fix 66622 - deprecate xssProtectionEnabled and change default to false
Support for the associated HTTP header has been removed from all major
browsers.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66622
---
java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java | 7 ++++++-
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/filter.xml | 5 ++++-
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
index 0f81aa31d0..668ce3b444 100644
--- a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
+++ b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
@@ -61,9 +61,12 @@ public class HttpHeaderSecurityFilter extends FilterBase {
private boolean blockContentTypeSniffingEnabled = true;
// Cross-site scripting filter protection
+ @Deprecated
private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection";
+ @Deprecated
private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
- private boolean xssProtectionEnabled = true;
+ @Deprecated
+ private boolean xssProtectionEnabled = false;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -238,11 +241,13 @@ public class HttpHeaderSecurityFilter extends FilterBase {
}
+ @Deprecated
public boolean isXssProtectionEnabled() {
return xssProtectionEnabled;
}
+ @Deprecated
public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
this.xssProtectionEnabled = xssProtectionEnabled;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f2fa4a5e93..b0ae0efbc6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,12 @@
<bug>66621</bug>: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
</fix>
+ <fix>
+ <bug>66622</bug>: Deprecate the <code>xssProtectionEnabled</code>
+ setting from the <code>HttpHeaderSecurityFilter</code> and change the
+ default value to <code>false</code> as support for the associated HTTP
+ header has been removed from all major browsers. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 617167d3e4..053f0277a8 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -949,11 +949,14 @@ FINE: Request "/docs/config/manager.html" with response status "200"
</attribute>
<attribute name="xssProtectionEnabled" required="false">
+ <p><strong>Note: This setting is deprecated as support for the HTTP
+ header has been removed from all major browsers. The setting has been
+ removed in Tomcat 11.0.x onwards.</strong></p>
<p>Should the header that enables the browser's cross-site scripting
filter protection (<code>X-XSS-Protection: 1; mode=block</code>)
be set on every response. If already present, the header
will be replaced. If not specified, the default value of
- <code>true</code> will be used.</p>
+ <code>false</code> will be used.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org