Answer the question
In order to leave comments, you need to log in
P
P
Page-Audit.ru2021-07-06 11:10:26
Page-Audit.ru, 2021-07-06 11:10:26
Why has Facebook disabled XSS protection?
Kind!
I noticed that Facebook in the HTTP response header indicates x-xss-protection : 0 , which formally should disable the protection against XSS attacks built into the user's browser.
At the same time, "unsafe" 'unsafe-inline' 'unsafe-eval' are allowed in the content-security-policy header for script-src .
And, again, FB itself makes sure that no one tries to "break" it:
What is the logic of FB or how does it actually protect itself from XSS?
1 answer(s)
@PageAuditRU
P
Page-Audit.ru, 2021-07-06 @PageAuditRU
So, thanks to Evgeny Glebov for the comments. Now everything became clear.
Protection with the X-XSS-Protection header (and related technology) is compromised and creates a false sense of security. In any of the modes 0 or 1; mode=block implementable XS attacks.
Developers are recommended to:
- explicitly disable protection by setting the 0 directive,
- switch to using protection using the Content-Security-Policy header,
- protect the site from XSS attacks on their own.
Similar questions
S
K
A
I
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question