Remove XSS-Protection header from Nginx configs #9188
Conversation
|
It would be great to merge the first commit. For the second commit, as Nextcloud devs said in the previous PR: they set the CSP from Nextcloud. |
|
I can reverse the second commit and rebase the changes, if that's what it takes. Also, if this commit still needs other changes (like the check for the presence of the header), please tell me what and where and I can add it :) |
|
For the first commit, this code should be updated I think: https://github.com/nextcloud/server/blob/master/core/js/setupchecks.js That would be necessary before updating the nginx documentation for Nextcloud. |
|
Server side change (remove it completely not just setting it to
Could also require an update here: |
MichaIng
force-pushed
the
feature/disable-xss-header
branch
from
05c3010 to
38e3885
Compare
There was a problem hiding this comment.
Blocking until nextcloud/server#53476 has been merged, but this is the complementary needed docs part then.
I hope no one has a problem with me adjusting and squashing the commits:
- While disabling XSS explicitly is safe as well, I think it makes more sense to remove and forget this header completely. OWASP recommends to do either of both. For more details see the server PR.
- CSP should not be set at webserver level: It would overwrite or duplicate what Nextcloud sets in PHP already, hence can break things or weaken security. CSP, the way it is designed with very selective permissions all as single header value, needs to be set in the backend as individually. There is no generic safe but functional value that could be applied on webserver level for the whole site.
MichaIng
changed the title
see notes: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Signed-off-by: Maru Alka <[email protected]>
Signed-off-by: MichaIng <[email protected]>
with a note about the dropped X-XSS-Protection header check Signed-off-by: MichaIng <[email protected]>
MichaIng
force-pushed
the
feature/disable-xss-header
branch
from
7d38893 to
74dbee7
Compare
| * PHP 8.1 is now deprecated but still supported. | ||
| * PHP 8.4 is now supported, but 8.3 is recommended. |
There was a problem hiding this comment.
Is this still accurate?
https://github.com/nextcloud/server/blob/master/lib/versioncheck.php
Co-authored-by: Joas Schilling <[email protected]> Signed-off-by: MichaIng <[email protected]>
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/documentation/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
@minecrawler Shouldn't the header also be removed in the rules under In addition, the version in the line 1 is outdated. |
|
@Patta well, it's a 3(!) years old PR and it's merged, now. So if there's potential for improvement, we should create a new PR and hope it's merged quicker |
|
Absolutely, that was an oversight. I will create a followup PR just now 🙂. |
It was removed from the config in #9188, but forgotten for the static assets block. In addition, the date added with #12100 was is added to the subdir config as well, for consistency. Signed-off-by: MichaIng <[email protected]>
Or shall we call it the "RIP Ozzy 🤘" version of the Nginx config? 😢🙏 |
By now, no modern browser supports the
XSS-Protectionheader anymore - and with good reason. It actually has known security vulnerabilities. Instead, it is recommended to disable it and use CSP instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-ProtectionHence, this patch disables the XSS header and enables CSP instead. The CSP part was copied from an earlier PR (#1714), which was closed because of an incompatible browser matrix. That issue does not exist anymore. Is it possible to merge these changes?