DescriptionX-XSS-Protection parser shoud reject '0; mode=block'
A recent study[1] notes that ~480 sites serve the invalid header
'X-XSS-Protection: 0;mode=block'. We currently accept this header as
disabling the XSSAuditor. This CL changes our behavior to reject any XSS
protection header that begins with 0 and has any other non-whitespace
character after the 0.
[1]: http://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/
BUG=323853
Patch Set 1 #
Total comments: 1
Messages
Total messages: 4 (0 generated)
|