disable legacy X-XSS-Protection feature - vw_small

commit 27d4b713f6281e531d9622de09373adf7170384b
parent 8d06d9c1111d642d0c2d03c1d29b0170e79f0c11
Author: Wonderfall <wonderfall@protonmail.com>
Date:   Mon, 21 Mar 2022 06:30:37 +0100

disable legacy X-XSS-Protection feature

Obsolete in every modern browser, unsafe, and replaced by CSP

Diffstat:
M src/util.rs  | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util.rs b/src/util.rs
@@ -32,7 +32,8 @@ impl Fairing for AppHeaders {
         res.set_raw_header("Referrer-Policy", "same-origin");
         res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
         res.set_raw_header("X-Content-Type-Options", "nosniff");
-        res.set_raw_header("X-XSS-Protection", "1; mode=block");
+        // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP
+        res.set_raw_header("X-XSS-Protection", "0");
         let csp = format!(
             // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
             // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US

	vw_small Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
	git clone https://git.philomathiclife.com/repos/vw_small
	Log \| Files \| Refs \| README