This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 3a88682ab0 Fix 66622 - deprecate xssProtectionEnabled and change
default to false
3a88682ab0 is described below
commit 3a88682ab016bbd01489ed15adfe4c4ed6180c80
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 31 18:25:55 2023 +0100
Fix 66622 - deprecate xssProtectionEnabled and change default to false
Support for the associated HTTP header has been removed from all major
browsers.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66622
---
java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java | 7 ++++++-
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/filter.xml | 5 ++++-
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
index 0f81aa31d0..668ce3b444 100644
--- a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
+++ b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
@@ -61,9 +61,12 @@ public class HttpHeaderSecurityFilter extends FilterBase {
private boolean blockContentTypeSniffingEnabled = true;
// Cross-site scripting filter protection
+ @Deprecated
private static final String XSS_PROTECTION_HEADER_NAME =
"X-XSS-Protection";
+ @Deprecated
private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
- private boolean xssProtectionEnabled = true;
+ @Deprecated
+ private boolean xssProtectionEnabled = false;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -238,11 +241,13 @@ public class HttpHeaderSecurityFilter extends FilterBase {
}
+ @Deprecated
public boolean isXssProtectionEnabled() {
return xssProtectionEnabled;
}
+ @Deprecated
public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
this.xssProtectionEnabled = xssProtectionEnabled;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 552fa08471..0e0c4bfbbe 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -128,6 +128,12 @@
<bug>66621</bug>: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
</fix>
+ <fix>
+ <bug>66622</bug>: Deprecate the <code>xssProtectionEnabled</code>
+ setting from the <code>HttpHeaderSecurityFilter</code> and change the
+ default value to <code>false</code> as support for the associated HTTP
+ header has been removed from all major browsers. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 617167d3e4..053f0277a8 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -949,11 +949,14 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</attribute>
<attribute name="xssProtectionEnabled" required="false">
+ <p><strong>Note: This setting is deprecated as support for the HTTP
+ header has been removed from all major browsers. The setting has been
+ removed in Tomcat 11.0.x onwards.</strong></p>
<p>Should the header that enables the browser's cross-site scripting
filter protection (<code>X-XSS-Protection: 1; mode=block</code>)
be set on every response. If already present, the header
will be replaced. If not specified, the default value of
- <code>true</code> will be used.</p>
+ <code>false</code> will be used.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
