mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.
This commit is contained in:
		
				
					committed by
					
						 Mariusz Felisiak
						Mariusz Felisiak
					
				
			
			
				
	
			
			
			
						parent
						
							8bcb00858e
						
					
				
				
					commit
					54da6e2ac2
				
			| @@ -634,7 +634,6 @@ SILENCED_SYSTEM_CHECKS = [] | |||||||
| ####################### | ####################### | ||||||
| # SECURITY MIDDLEWARE # | # SECURITY MIDDLEWARE # | ||||||
| ####################### | ####################### | ||||||
| SECURE_BROWSER_XSS_FILTER = False |  | ||||||
| SECURE_CONTENT_TYPE_NOSNIFF = True | SECURE_CONTENT_TYPE_NOSNIFF = True | ||||||
| SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin' | SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin' | ||||||
| SECURE_HSTS_INCLUDE_SUBDOMAINS = False | SECURE_HSTS_INCLUDE_SUBDOMAINS = False | ||||||
|   | |||||||
| @@ -19,9 +19,9 @@ SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5 | |||||||
| W001 = Warning( | W001 = Warning( | ||||||
|     "You do not have 'django.middleware.security.SecurityMiddleware' " |     "You do not have 'django.middleware.security.SecurityMiddleware' " | ||||||
|     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, " |     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, " | ||||||
|     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, " |     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, " | ||||||
|     "SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, " |     "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will " | ||||||
|     "and SECURE_SSL_REDIRECT settings will have no effect.", |     "have no effect.", | ||||||
|     id='security.W001', |     id='security.W001', | ||||||
| ) | ) | ||||||
|  |  | ||||||
|   | |||||||
| @@ -12,7 +12,6 @@ class SecurityMiddleware(MiddlewareMixin): | |||||||
|         self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS |         self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS | ||||||
|         self.sts_preload = settings.SECURE_HSTS_PRELOAD |         self.sts_preload = settings.SECURE_HSTS_PRELOAD | ||||||
|         self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF |         self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF | ||||||
|         self.xss_filter = settings.SECURE_BROWSER_XSS_FILTER |  | ||||||
|         self.redirect = settings.SECURE_SSL_REDIRECT |         self.redirect = settings.SECURE_SSL_REDIRECT | ||||||
|         self.redirect_host = settings.SECURE_SSL_HOST |         self.redirect_host = settings.SECURE_SSL_HOST | ||||||
|         self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT] |         self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT] | ||||||
| @@ -42,9 +41,6 @@ class SecurityMiddleware(MiddlewareMixin): | |||||||
|         if self.content_type_nosniff: |         if self.content_type_nosniff: | ||||||
|             response.headers.setdefault('X-Content-Type-Options', 'nosniff') |             response.headers.setdefault('X-Content-Type-Options', 'nosniff') | ||||||
|  |  | ||||||
|         if self.xss_filter: |  | ||||||
|             response.headers.setdefault('X-XSS-Protection', '1; mode=block') |  | ||||||
|  |  | ||||||
|         if self.referrer_policy: |         if self.referrer_policy: | ||||||
|             # Support a comma-separated string or iterable of values to allow |             # Support a comma-separated string or iterable of values to allow | ||||||
|             # fallback. |             # fallback. | ||||||
|   | |||||||
| @@ -416,8 +416,7 @@ The following checks are run if you use the :option:`check --deploy` option: | |||||||
| * **security.W001**: You do not have | * **security.W001**: You do not have | ||||||
|   :class:`django.middleware.security.SecurityMiddleware` in your |   :class:`django.middleware.security.SecurityMiddleware` in your | ||||||
|   :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`, |   :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`, | ||||||
|   :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`, |   :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_REFERRER_POLICY`, | ||||||
|   :setting:`SECURE_REFERRER_POLICY`, |  | ||||||
|   :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and |   :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and | ||||||
|   :setting:`SECURE_SSL_REDIRECT` settings will have no effect. |   :setting:`SECURE_SSL_REDIRECT` settings will have no effect. | ||||||
| * **security.W002**: You do not have | * **security.W002**: You do not have | ||||||
| @@ -446,7 +445,7 @@ The following checks are run if you use the :option:`check --deploy` option: | |||||||
|   set to ``True``, so your pages will not be served with an |   set to ``True``, so your pages will not be served with an | ||||||
|   ``'X-Content-Type-Options: nosniff'`` header. You should consider enabling |   ``'X-Content-Type-Options: nosniff'`` header. You should consider enabling | ||||||
|   this header to prevent the browser from identifying content types incorrectly. |   this header to prevent the browser from identifying content types incorrectly. | ||||||
| * **security.W007**: Your :setting:`SECURE_BROWSER_XSS_FILTER` setting is not | * **security.W007**: Your ``SECURE_BROWSER_XSS_FILTER`` setting is not | ||||||
|   set to ``True``, so your pages will not be served with an |   set to ``True``, so your pages will not be served with an | ||||||
|   ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling |   ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling | ||||||
|   this header to activate the browser's XSS filtering and help prevent XSS |   this header to activate the browser's XSS filtering and help prevent XSS | ||||||
|   | |||||||
| @@ -196,7 +196,6 @@ The ``django.middleware.security.SecurityMiddleware`` provides several security | |||||||
| enhancements to the request/response cycle. Each one can be independently | enhancements to the request/response cycle. Each one can be independently | ||||||
| enabled or disabled with a setting. | enabled or disabled with a setting. | ||||||
|  |  | ||||||
| * :setting:`SECURE_BROWSER_XSS_FILTER` |  | ||||||
| * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` | * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` | ||||||
| * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` | * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` | ||||||
| * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` | * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` | ||||||
| @@ -422,33 +421,6 @@ setting will be useful. | |||||||
|  |  | ||||||
| __ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | __ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | ||||||
|  |  | ||||||
| .. _x-xss-protection: |  | ||||||
|  |  | ||||||
| ``X-XSS-Protection: 1; mode=block`` |  | ||||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |  | ||||||
|  |  | ||||||
| Some browsers have the ability to block content that appears to be an `XSS |  | ||||||
| attack`_. They work by looking for JavaScript content in the GET or POST |  | ||||||
| parameters of a page. If the JavaScript is replayed in the server's response, |  | ||||||
| the page is blocked from rendering and an error page is shown instead. |  | ||||||
|  |  | ||||||
| The `X-XSS-Protection header`__ is used to control the operation of the |  | ||||||
| XSS filter. |  | ||||||
|  |  | ||||||
| To enable the XSS filter in the browser, and force it to always block |  | ||||||
| suspected XSS attacks, you can pass the ``X-XSS-Protection: 1; mode=block`` |  | ||||||
| header. ``SecurityMiddleware`` will do this for all responses if the |  | ||||||
| :setting:`SECURE_BROWSER_XSS_FILTER` setting is ``True``. |  | ||||||
|  |  | ||||||
| .. warning:: |  | ||||||
|     The browser XSS filter is a useful defense measure, but must not be |  | ||||||
|     relied upon exclusively. It cannot detect all XSS attacks and not all |  | ||||||
|     browsers support the header. Ensure you are still :ref:`validating and |  | ||||||
|     sanitizing <cross-site-scripting>` all input to prevent XSS attacks. |  | ||||||
|  |  | ||||||
| .. _XSS attack: https://en.wikipedia.org/wiki/Cross-site_scripting |  | ||||||
| __ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection |  | ||||||
|  |  | ||||||
| .. _ssl-redirect: | .. _ssl-redirect: | ||||||
|  |  | ||||||
| SSL Redirect | SSL Redirect | ||||||
|   | |||||||
| @@ -2262,20 +2262,6 @@ affect them. | |||||||
|     startproject <startproject>` creates a unique ``SECRET_KEY`` for |     startproject <startproject>` creates a unique ``SECRET_KEY`` for | ||||||
|     convenience. |     convenience. | ||||||
|  |  | ||||||
| .. setting:: SECURE_BROWSER_XSS_FILTER |  | ||||||
|  |  | ||||||
| ``SECURE_BROWSER_XSS_FILTER`` |  | ||||||
| ----------------------------- |  | ||||||
|  |  | ||||||
| Default: ``False`` |  | ||||||
|  |  | ||||||
| If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets |  | ||||||
| the :ref:`x-xss-protection` header on all responses that do not already have it. |  | ||||||
|  |  | ||||||
| Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although |  | ||||||
| the setting offers little practical benefit, you may still want to set the |  | ||||||
| header if you support older browsers. |  | ||||||
|  |  | ||||||
| .. setting:: SECURE_CONTENT_TYPE_NOSNIFF | .. setting:: SECURE_CONTENT_TYPE_NOSNIFF | ||||||
|  |  | ||||||
| ``SECURE_CONTENT_TYPE_NOSNIFF`` | ``SECURE_CONTENT_TYPE_NOSNIFF`` | ||||||
| @@ -3636,7 +3622,6 @@ HTTP | |||||||
| * :setting:`MIDDLEWARE` | * :setting:`MIDDLEWARE` | ||||||
| * Security | * Security | ||||||
|  |  | ||||||
|   * :setting:`SECURE_BROWSER_XSS_FILTER` |  | ||||||
|   * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` |   * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` | ||||||
|   * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` |   * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` | ||||||
|   * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` |   * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` | ||||||
|   | |||||||
| @@ -357,6 +357,24 @@ subdomains by setting :setting:`CSRF_COOKIE_DOMAIN` (or | |||||||
| :setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to | :setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to | ||||||
| a value starting with a dot. | a value starting with a dot. | ||||||
|  |  | ||||||
|  | ``SecurityMiddleware`` no longer sets the ``X-XSS-Protection`` header | ||||||
|  | --------------------------------------------------------------------- | ||||||
|  |  | ||||||
|  | The :class:`~django.middleware.security.SecurityMiddleware` no longer sets the | ||||||
|  | ``X-XSS-Protection`` header if the ``SECURE_BROWSER_XSS_FILTER`` setting is | ||||||
|  | ``True``. The setting is removed. | ||||||
|  |  | ||||||
|  | Most modern browsers don't honor the ``X-XSS-Protection`` HTTP header. You can | ||||||
|  | use Content-Security-Policy_ without allowing ``'unsafe-inline'`` scripts | ||||||
|  | instead. | ||||||
|  |  | ||||||
|  | If you want to support legacy browsers and set the header, use this line in a | ||||||
|  | custom middleware:: | ||||||
|  |  | ||||||
|  |     response.headers.setdefault('X-XSS-Protection', '1; mode=block') | ||||||
|  |  | ||||||
|  | .. _Content-Security-Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy | ||||||
|  |  | ||||||
| Miscellaneous | Miscellaneous | ||||||
| ------------- | ------------- | ||||||
|  |  | ||||||
|   | |||||||
| @@ -175,34 +175,6 @@ class SecurityMiddlewareTest(SimpleTestCase): | |||||||
|         """ |         """ | ||||||
|         self.assertNotIn('X-Content-Type-Options', self.process_response().headers) |         self.assertNotIn('X-Content-Type-Options', self.process_response().headers) | ||||||
|  |  | ||||||
|     @override_settings(SECURE_BROWSER_XSS_FILTER=True) |  | ||||||
|     def test_xss_filter_on(self): |  | ||||||
|         """ |  | ||||||
|         With SECURE_BROWSER_XSS_FILTER set to True, the middleware adds |  | ||||||
|         "s-xss-protection: 1; mode=block" header to the response. |  | ||||||
|         """ |  | ||||||
|         self.assertEqual( |  | ||||||
|             self.process_response().headers['X-XSS-Protection'], |  | ||||||
|             '1; mode=block', |  | ||||||
|         ) |  | ||||||
|  |  | ||||||
|     @override_settings(SECURE_BROWSER_XSS_FILTER=True) |  | ||||||
|     def test_xss_filter_already_present(self): |  | ||||||
|         """ |  | ||||||
|         The middleware will not override an "X-XSS-Protection" header |  | ||||||
|         already present in the response. |  | ||||||
|         """ |  | ||||||
|         response = self.process_response(secure=True, headers={"X-XSS-Protection": "foo"}) |  | ||||||
|         self.assertEqual(response.headers["X-XSS-Protection"], "foo") |  | ||||||
|  |  | ||||||
|     @override_settings(SECURE_BROWSER_XSS_FILTER=False) |  | ||||||
|     def test_xss_filter_off(self): |  | ||||||
|         """ |  | ||||||
|         With SECURE_BROWSER_XSS_FILTER set to False, the middleware does not |  | ||||||
|         add an "X-XSS-Protection" header to the response. |  | ||||||
|         """ |  | ||||||
|         self.assertNotIn('X-XSS-Protection', self.process_response().headers) |  | ||||||
|  |  | ||||||
|     @override_settings(SECURE_SSL_REDIRECT=True) |     @override_settings(SECURE_SSL_REDIRECT=True) | ||||||
|     def test_ssl_redirect_on(self): |     def test_ssl_redirect_on(self): | ||||||
|         """ |         """ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user