You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/12/14 19:09:36 UTC

[Bug 58735] New: Add support for X-XSS-Protection header

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

            Bug ID: 58735
           Summary: Add support for X-XSS-Protection header
           Product: Tomcat 9
           Version: 9.0.0.M1
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jacopo.cappellato@gmail.com

Created attachment 33349
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33349&action=edit
The patch that implements this feature.

The Tomcat's HttpHeaderSecurityFilter allows to set useful security related
headers but it doesn't support the X-XSS-Protection header:
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

The attached patch enhance the filter to support this header.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

Ralf Hauser <ha...@acm.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hauser@acm.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

Sergey <va...@live.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vaysman@live.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Patch applied to 9.0.x for 9.0.0.M2 onwards, 8.0.x for 8.0.31 onwards and 7.0.x
for 7.0.68 onwards.

Thanks for the patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

--- Comment #2 from Jacopo Cappellato <ja...@gmail.com> ---
Created attachment 33379
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33379&action=edit
Updated patch with filter's documentation

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Some documentation would be nice:
webapps/docs/config/filter.xml

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58735] Add support for X-XSS-Protection header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

--- Comment #4 from Ralf Hauser <ha...@acm.org> ---
see also Bug 59754

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org