Disable the X-XSS-Protection header in defaults

Disable the XSS Auditor in older browsers by default. The
X-XSS-Protection header has been deprecated by modern browsers due to
security issues it introduces on the client.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Fixes #35.

Author: mahsa2

README.md

@@ -138,8 +138,9 @@ The following configuration keys are supported:
     server is on a non-standard port. See: [wrap-ssl-redirect][9].
 
   - `:xss-protection` -
-    Enable the X-XSS-Protection header that tells supporting browsers
-    to use heuristics to detect XSS attacks. See: [wrap-xss-protection][10].
+    **Deprecated** Enable the X-XSS-Protection header. This is [no
+    longer considered best practice][13] and should be avoided.
+    See: [wrap-xss-protection][10].
 
 - `:session` -
   A map of options for configuring session handling via the Ring
@@ -175,6 +176,7 @@ The following configuration keys are supported:
 [10]: https://ring-clojure.github.io/ring-headers/ring.middleware.x-headers.html#var-wrap-xss-protection
 [11]: https://ring-clojure.github.io/ring/ring.middleware.session.html
 [12]: https://ring-clojure.github.io/ring/ring.middleware.flash.html
+[13]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 
 
 ## License

src/ring/middleware/defaults.clj

@@ -44,7 +44,6 @@
    :session   {:flash true
                :cookie-attrs {:http-only true, :same-site :strict}}
    :security  {:anti-forgery   true
-               :xss-protection {:enable? true, :mode :block}
                :frame-options  :sameorigin
                :content-type-options :nosniff}
    :static    {:resources "public"}

test/ring/middleware/defaults_test.clj

@@ -22,12 +22,10 @@
       (is (= (set (keys (:headers resp)))
              #{"X-Frame-Options"
                "X-Content-Type-Options"
-               "X-XSS-Protection"
                "Content-Type"
                "Set-Cookie"}))
       (is (= (get-in resp [:headers "X-Frame-Options"]) "SAMEORIGIN"))
       (is (= (get-in resp [:headers "X-Content-Type-Options"]) "nosniff"))
-      (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))
       (is (= (get-in resp [:headers "Content-Type"]) "application/octet-stream"))
       (let [set-cookie (first (get-in resp [:headers "Set-Cookie"]))]
         (is (.startsWith set-cookie "ring-session="))
@@ -99,13 +97,11 @@
       (is (= (set (keys (:headers resp)))
              #{"X-Frame-Options"
                "X-Content-Type-Options"
-               "X-XSS-Protection"
                "Strict-Transport-Security"
                "Content-Type"
                "Set-Cookie"}))
       (is (= (get-in resp [:headers "X-Frame-Options"]) "SAMEORIGIN"))
       (is (= (get-in resp [:headers "X-Content-Type-Options"]) "nosniff"))
-      (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))
       (is (= (get-in resp [:headers "Strict-Transport-Security"])
              "max-age=31536000; includeSubDomains"))
       (is (= (get-in resp [:headers "Content-Type"]) "application/octet-stream"))
@@ -171,3 +167,13 @@
       (is (= @resp {:status 200
                     :headers {"Content-Type" "application/octet-stream"}
                     :body "foo"})))))
+
+(testing "XSS protection enabled"
+  (let [handler (-> (constantly (response "foo"))
+                    (wrap-defaults
+                     (-> site-defaults
+                         (assoc-in [:security :xss-protection :enable?] true)
+                         (assoc-in [:security :xss-protection :mode] :block))))
+        resp    (handler (request :get "/"))]
+    (is (not (nil? (get-in resp [:headers "X-XSS-Protection"]))))
+    (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))))