oC 10.7 X-XSS-Protection

Hello everyone,

since oC10.7 I’ve got a warning in the general section of the admin about the HTTP header X-XSS-Protection.

Usually I set this header to 1; mode=block which prevent rendering of the page if an attack is detected.
According to Mozilla documentation it seems about right.

Why is ownCloud advising the value of 0 ? It could lead to XSS attacks.



its deprecated and does not not work in modern browsers anymore

Here you can see more details if you click on response headers tab:

Credit goes to @rkaussow and @corby