Explicit disable (unsafe) X-XSS-Protection-header

README.rst

@@ -21,10 +21,9 @@ The default configuration:
    `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options>`_
    to ``SAMEORIGIN`` to avoid
    `clickjacking <https://en.wikipedia.org/wiki/Clickjacking>`_.
--  Sets `X-XSS-Protection
+-  Explicit disables `X-XSS-Protection
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection>`_
-   to enable a cross site scripting filter for IE and Safari (note Chrome has
-   removed this and Firefox never supported it).
+   to avoid introducing unintended vulnerabilities in otherwise safe code.
 -  Sets `X-Content-Type-Options
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_
    to prevent content type sniffing.

flask_talisman/talisman.py

@@ -284,7 +284,11 @@ def _set_frame_options_headers(self, headers, options):
                 options['frame_options_allow_from'])
 
     def _set_content_security_policy_headers(self, headers, options):
-        headers['X-XSS-Protection'] = '1; mode=block'
+        # Yes, this is correct.  The X-XSS-Protection header is deprecated and
+        # can actually introduce vulnerabilities in otherwise safe code, so lets
+        # explicit disable it.  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+        headers['X-XSS-Protection'] = '0'
+
         headers['X-Content-Type-Options'] = 'nosniff'
 
         if self.force_file_save:

flask_talisman/talisman_test.py

@@ -52,7 +52,7 @@ def testDefaults(self):
             'X-Frame-Options': 'SAMEORIGIN',
             'Strict-Transport-Security':
             'max-age=31556926; includeSubDomains',
-            'X-XSS-Protection': '1; mode=block',
+            'X-XSS-Protection': '0',
             'X-Content-Type-Options': 'nosniff',
             'Content-Security-Policy': 'default-src \'self\'',
             'Referrer-Policy': 'strict-origin-when-cross-origin'