Disable X-XSS protection by default

wntrblm · Jul 25, 2023 · 9b7c766 · 9b7c766
1 parent 20055a7
commit 9b7c766
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
@@ -90,7 +90,7 @@ def init_app(
             session_cookie_http_only=True,
             session_cookie_samesite=DEFAULT_SESSION_COOKIE_SAMESITE,
             x_content_type_options=True,
-            x_xss_protection=True):
+            x_xss_protection=False):
         """
         Initialization.
 

diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
@@ -51,7 +51,6 @@ def testDefaults(self):
             'X-Frame-Options': 'SAMEORIGIN',
             'Strict-Transport-Security':
             'max-age=31556926; includeSubDomains',
-            'X-XSS-Protection': '1; mode=block',
             'X-Content-Type-Options': 'nosniff',
             'Referrer-Policy': 'strict-origin-when-cross-origin'
         }
@@ -85,6 +84,14 @@ def testForceSslOptionOptions(self):
         response = self.client.get('/')
         self.assertEqual(response.status_code, 200)
 
+    def testForceXSSProtectionOptions(self):
+        self.talisman.x_xss_protection = True
+
+        # HTTP request from Proxy
+        response = self.client.get('/')
+        self.assertIn('X-XSS-Protection', response.headers)
+        self.assertEqual(response.headers['X-XSS-Protection'], '1; mode=block')
+
     def testHstsOptions(self):
         self.talisman.force_ssl = False