Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER setting.
This commit is contained in:
parent
05964b2198
commit
c5075360c5
|
@ -51,15 +51,6 @@ W006 = Warning(
|
|||
id='security.W006',
|
||||
)
|
||||
|
||||
W007 = Warning(
|
||||
"Your SECURE_BROWSER_XSS_FILTER setting is not set to True, "
|
||||
"so your pages will not be served with an "
|
||||
"'X-XSS-Protection: 1; mode=block' header. "
|
||||
"You should consider enabling this header to activate the "
|
||||
"browser's XSS filtering and help prevent XSS attacks.",
|
||||
id='security.W007',
|
||||
)
|
||||
|
||||
W008 = Warning(
|
||||
"Your SECURE_SSL_REDIRECT setting is not set to True. "
|
||||
"Unless your site should be available over both SSL and non-SSL "
|
||||
|
@ -162,15 +153,6 @@ def check_content_type_nosniff(app_configs, **kwargs):
|
|||
return [] if passed_check else [W006]
|
||||
|
||||
|
||||
@register(Tags.security, deploy=True)
|
||||
def check_xss_filter(app_configs, **kwargs):
|
||||
passed_check = (
|
||||
not _security_middleware() or
|
||||
settings.SECURE_BROWSER_XSS_FILTER is True
|
||||
)
|
||||
return [] if passed_check else [W007]
|
||||
|
||||
|
||||
@register(Tags.security, deploy=True)
|
||||
def check_ssl_redirect(app_configs, **kwargs):
|
||||
passed_check = (
|
||||
|
|
|
@ -369,7 +369,8 @@ The following checks are run if you use the :option:`check --deploy` option:
|
|||
set to ``True``, so your pages will not be served with an
|
||||
``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
|
||||
this header to activate the browser's XSS filtering and help prevent XSS
|
||||
attacks.
|
||||
attacks. *This check is removed in Django 3.0 as the ``X-XSS-Protection``
|
||||
header is no longer honored by modern browsers.*
|
||||
* **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
|
||||
``True``. Unless your site should be available over both SSL and non-SSL
|
||||
connections, you may want to either set this setting to ``True`` or configure
|
||||
|
|
|
@ -2182,6 +2182,10 @@ Default: ``False``
|
|||
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets
|
||||
the :ref:`x-xss-protection` header on all responses that do not already have it.
|
||||
|
||||
Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although
|
||||
the setting offers little practical benefit, you may still want to set the
|
||||
header if you support older browsers.
|
||||
|
||||
.. setting:: SECURE_CONTENT_TYPE_NOSNIFF
|
||||
|
||||
``SECURE_CONTENT_TYPE_NOSNIFF``
|
||||
|
|
|
@ -402,38 +402,6 @@ class CheckContentTypeNosniffTest(SimpleTestCase):
|
|||
self.assertEqual(self.func(None), [])
|
||||
|
||||
|
||||
class CheckXssFilterTest(SimpleTestCase):
|
||||
@property
|
||||
def func(self):
|
||||
from django.core.checks.security.base import check_xss_filter
|
||||
return check_xss_filter
|
||||
|
||||
@override_settings(
|
||||
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
|
||||
SECURE_BROWSER_XSS_FILTER=False,
|
||||
)
|
||||
def test_no_xss_filter(self):
|
||||
"""
|
||||
Warn if SECURE_BROWSER_XSS_FILTER isn't True.
|
||||
"""
|
||||
self.assertEqual(self.func(None), [base.W007])
|
||||
|
||||
@override_settings(MIDDLEWARE=[], SECURE_BROWSER_XSS_FILTER=False)
|
||||
def test_no_xss_filter_no_middleware(self):
|
||||
"""
|
||||
Don't warn if SECURE_BROWSER_XSS_FILTER isn't True and
|
||||
SecurityMiddleware isn't in MIDDLEWARE.
|
||||
"""
|
||||
self.assertEqual(self.func(None), [])
|
||||
|
||||
@override_settings(
|
||||
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
|
||||
SECURE_BROWSER_XSS_FILTER=True,
|
||||
)
|
||||
def test_with_xss_filter(self):
|
||||
self.assertEqual(self.func(None), [])
|
||||
|
||||
|
||||
class CheckSSLRedirectTest(SimpleTestCase):
|
||||
@property
|
||||
def func(self):
|
||||
|
|
Loading…
Reference in New Issue