From 8773bfc781153b0cf40944129a14253251f6fa0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolai=20S=C3=B8borg?= <git@xn--sb-lka.org>
Date: Thu, 6 Jul 2023 21:03:32 +0200
Subject: [PATCH] Explicit disable (unsafe) `X-XSS-Protection`-header

---
 README.rst                      | 5 ++---
 flask_talisman/talisman.py      | 6 +++++-
 flask_talisman/talisman_test.py | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/README.rst b/README.rst
index d91027c..e9aba1f 100644
--- a/README.rst
+++ b/README.rst
@@ -21,10 +21,9 @@ The default configuration:
    `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options>`_
    to ``SAMEORIGIN`` to avoid
    `clickjacking <https://en.wikipedia.org/wiki/Clickjacking>`_.
--  Sets `X-XSS-Protection
+-  Explicit disables `X-XSS-Protection
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection>`_
-   to enable a cross site scripting filter for IE and Safari (note Chrome has
-   removed this and Firefox never supported it).
+   to avoid introducing unintended vulnerabilities in otherwise safe code.
 -  Sets `X-Content-Type-Options
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_
    to prevent content type sniffing.
diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
index 2d55d13..6b13062 100644
--- a/flask_talisman/talisman.py
+++ b/flask_talisman/talisman.py
@@ -284,7 +284,11 @@ def _set_frame_options_headers(self, headers, options):
                 options['frame_options_allow_from'])
 
     def _set_content_security_policy_headers(self, headers, options):
-        headers['X-XSS-Protection'] = '1; mode=block'
+        # Yes, this is correct.  The X-XSS-Protection header is deprecated and
+        # can actually introduce vulnerabilities in otherwise safe code, so lets
+        # explicit disable it.  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+        headers['X-XSS-Protection'] = '0'
+
         headers['X-Content-Type-Options'] = 'nosniff'
 
         if self.force_file_save:
diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
index 8c75fc4..81d2c05 100644
--- a/flask_talisman/talisman_test.py
+++ b/flask_talisman/talisman_test.py
@@ -52,7 +52,7 @@ def testDefaults(self):
             'X-Frame-Options': 'SAMEORIGIN',
             'Strict-Transport-Security':
             'max-age=31556926; includeSubDomains',
-            'X-XSS-Protection': '1; mode=block',
+            'X-XSS-Protection': '0',
             'X-Content-Type-Options': 'nosniff',
             'Content-Security-Policy': 'default-src \'self\'',
             'Referrer-Policy': 'strict-origin-when-cross-origin'