Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
(cherry picked from commit c129255508)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
(cherry picked from commit 409107d2f5)
This was causing issues on newer versions of MariaDB (breaking
NixOS tests) like:
```
Error 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version
for the right syntax to use near '%2Cutf8' at line 1
```
Since this is simply a fallback character set and all supported versions
of MariaDB support utf8mb4, delete the fallback.
This change should be fully compatible with existing deployments.
(cherry picked from commit 6cc8a8cdb5)
EOL upstream.
We only have one hardened kernel at the moment now because
LTS == latest available. This situation would've also happened before
the cleanup since 6.13/6.14 were removed in June already[1].
[1] 23b573705d
(cherry picked from commit 510532e9ae)
By the end of the month, I'll leave Flying Circus. Thanks a lot for the
journey together <3
The rootless-test for podman is something I decided to keep since I'm
using parts of the features covered in there myself.
(cherry picked from commit 201cb3e519)
The new `\restrict` migitation creates random keys in the dump file by
default, which breaks a before/after test for the backup module. By
making the restrict key reproducible, the test passes again.
(cherry picked from commit 87e1134406)
prometheus-smokeping-prober was updated to 0.10.0 in #396980
which introduced a new label `tos` in its metrics.
add it to the failing tests to make them match
the expected metric (and pass) again
you could argue that the tests are a bit too greedy with the way
they match metrics, but I actually like it that way
(cherry picked from commit 2103ba2688)
