oC 10.7 X-XSS-Protection

Hello everyone,

since oC10.7 I’ve got a warning in the general section of the admin about the HTTP header X-XSS-Protection.

Usually I set this header to 1; mode=block which prevent rendering of the page if an attack is detected.
According to Mozilla documentation it seems about right.

Why is ownCloud advising the value of 0 ? It could lead to XSS attacks.

Thanks.

Hello,

its deprecated and does not not work in modern browsers anymore

Here you can see more details if you click on response headers tab:

Credit goes to @rkaussow and @corby

3 Likes