Merge pull request #9188 from minecrawler/feature/disable-xss-header

Remove XSS-Protection header from Nginx configs

Author: nickvergessen

admin_manual/installation/harden_server.rst

@@ -221,8 +221,6 @@ These include:
 
 - ``X-Content-Type-Options: nosniff``
 	- Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers from interpreting text files as JavaScript.
-- ``X-XSS-Protection: 1; mode=block``
-	- Instructs browsers to enable their browser side Cross-Site-Scripting filter.
 - ``X-Robots-Tag: noindex, nofollow``
 	- Instructs search machines to not index these pages and not follow any links there.
 - ``X-Frame-Options: SAMEORIGIN``

admin_manual/installation/nginx-root.conf.sample

@@ -79,7 +79,6 @@ server {
     add_header X-Frame-Options                   "SAMEORIGIN"        always;
     add_header X-Permitted-Cross-Domain-Policies "none"              always;
     add_header X-Robots-Tag                      "noindex, nofollow" always;
-    add_header X-XSS-Protection                  "1; mode=block"     always;
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;

admin_manual/installation/nginx-subdir.conf.sample

@@ -111,7 +111,6 @@ server {
         add_header X-Frame-Options                   "SAMEORIGIN"        always;
         add_header X-Permitted-Cross-Domain-Policies "none"              always;
         add_header X-Robots-Tag                      "noindex, nofollow" always;
-        add_header X-XSS-Protection                  "1; mode=block"     always;
 
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;

admin_manual/release_notes/index.rst

@@ -14,6 +14,7 @@ These sub pages will cover the most important changes in Nextcloud, as well as s
 .. toctree::
    :maxdepth: 1
 
+   upgrade_to_32.rst
    upgrade_to_31.rst
    upgrade_to_30.rst
    upgrade_to_28.rst

admin_manual/release_notes/upgrade_to_32.rst

@@ -0,0 +1,16 @@
+=======================
+Upgrade to Nextcloud 32
+=======================
+
+System requirements
+-------------------
+
+* PHP 8.1 is now deprecated but still supported.
+* PHP 8.4 is now supported, but 8.3 is recommended.
+
+Web server configuration
+------------------------
+
+* Setup checks do not check for the ``X-XSS-Protection`` response header anymore. It has been removed from Nextcloud's ``.htaccess`` and you may want to adjust your webserver config to not serve it anymore.
+  XSS filtering was supported only until Chromium 78 and similarly old browsers, but had been found to cause more issues, including attack vectors, than it solved.
+  Nowadays, aside of not serving the header at all, the only generally recommended value is ``0``. More context can be found in the `OWASP Cheat Sheet Series <https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection>`_.