mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-12 02:40:31 +08:00
409107d2f5
Part of #438800. The OWASP recommentation[1] is: > The X-XSS-Protection header has been deprecated by modern browsers > and its use can introduce additional security issues on the client > side. As such, it is recommended to set the header as X-XSS-Protection: 0 > in order to disable the XSS Auditor, and not allow it to take the default > behavior of the browser handling the response. Please use > Content-Security-Policy instead. Hence, we turn this off, diverging from the upstream defaults here. An upstream issue has been opened[2]. [1] https://owasp.org/www-project-secure-headers/#x-xss-protection [2] https://github.com/grafana/grafana/issues/110369