mirror of https://github.com/django/django.git
Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.
This commit is contained in:
parent
8bcb00858e
commit
54da6e2ac2
|
@ -634,7 +634,6 @@ SILENCED_SYSTEM_CHECKS = []
|
||||||
#######################
|
#######################
|
||||||
# SECURITY MIDDLEWARE #
|
# SECURITY MIDDLEWARE #
|
||||||
#######################
|
#######################
|
||||||
SECURE_BROWSER_XSS_FILTER = False
|
|
||||||
SECURE_CONTENT_TYPE_NOSNIFF = True
|
SECURE_CONTENT_TYPE_NOSNIFF = True
|
||||||
SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin'
|
SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin'
|
||||||
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
|
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
|
||||||
|
|
|
@ -19,9 +19,9 @@ SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
|
||||||
W001 = Warning(
|
W001 = Warning(
|
||||||
"You do not have 'django.middleware.security.SecurityMiddleware' "
|
"You do not have 'django.middleware.security.SecurityMiddleware' "
|
||||||
"in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
|
"in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
|
||||||
"SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, "
|
"SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
|
||||||
"SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, "
|
"SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
|
||||||
"and SECURE_SSL_REDIRECT settings will have no effect.",
|
"have no effect.",
|
||||||
id='security.W001',
|
id='security.W001',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,6 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||||
self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS
|
self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS
|
||||||
self.sts_preload = settings.SECURE_HSTS_PRELOAD
|
self.sts_preload = settings.SECURE_HSTS_PRELOAD
|
||||||
self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF
|
self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF
|
||||||
self.xss_filter = settings.SECURE_BROWSER_XSS_FILTER
|
|
||||||
self.redirect = settings.SECURE_SSL_REDIRECT
|
self.redirect = settings.SECURE_SSL_REDIRECT
|
||||||
self.redirect_host = settings.SECURE_SSL_HOST
|
self.redirect_host = settings.SECURE_SSL_HOST
|
||||||
self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
|
self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
|
||||||
|
@ -42,9 +41,6 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||||
if self.content_type_nosniff:
|
if self.content_type_nosniff:
|
||||||
response.headers.setdefault('X-Content-Type-Options', 'nosniff')
|
response.headers.setdefault('X-Content-Type-Options', 'nosniff')
|
||||||
|
|
||||||
if self.xss_filter:
|
|
||||||
response.headers.setdefault('X-XSS-Protection', '1; mode=block')
|
|
||||||
|
|
||||||
if self.referrer_policy:
|
if self.referrer_policy:
|
||||||
# Support a comma-separated string or iterable of values to allow
|
# Support a comma-separated string or iterable of values to allow
|
||||||
# fallback.
|
# fallback.
|
||||||
|
|
|
@ -416,8 +416,7 @@ The following checks are run if you use the :option:`check --deploy` option:
|
||||||
* **security.W001**: You do not have
|
* **security.W001**: You do not have
|
||||||
:class:`django.middleware.security.SecurityMiddleware` in your
|
:class:`django.middleware.security.SecurityMiddleware` in your
|
||||||
:setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
|
:setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
|
||||||
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
|
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_REFERRER_POLICY`,
|
||||||
:setting:`SECURE_REFERRER_POLICY`,
|
|
||||||
:setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and
|
:setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and
|
||||||
:setting:`SECURE_SSL_REDIRECT` settings will have no effect.
|
:setting:`SECURE_SSL_REDIRECT` settings will have no effect.
|
||||||
* **security.W002**: You do not have
|
* **security.W002**: You do not have
|
||||||
|
@ -446,7 +445,7 @@ The following checks are run if you use the :option:`check --deploy` option:
|
||||||
set to ``True``, so your pages will not be served with an
|
set to ``True``, so your pages will not be served with an
|
||||||
``'X-Content-Type-Options: nosniff'`` header. You should consider enabling
|
``'X-Content-Type-Options: nosniff'`` header. You should consider enabling
|
||||||
this header to prevent the browser from identifying content types incorrectly.
|
this header to prevent the browser from identifying content types incorrectly.
|
||||||
* **security.W007**: Your :setting:`SECURE_BROWSER_XSS_FILTER` setting is not
|
* **security.W007**: Your ``SECURE_BROWSER_XSS_FILTER`` setting is not
|
||||||
set to ``True``, so your pages will not be served with an
|
set to ``True``, so your pages will not be served with an
|
||||||
``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
|
``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
|
||||||
this header to activate the browser's XSS filtering and help prevent XSS
|
this header to activate the browser's XSS filtering and help prevent XSS
|
||||||
|
|
|
@ -196,7 +196,6 @@ The ``django.middleware.security.SecurityMiddleware`` provides several security
|
||||||
enhancements to the request/response cycle. Each one can be independently
|
enhancements to the request/response cycle. Each one can be independently
|
||||||
enabled or disabled with a setting.
|
enabled or disabled with a setting.
|
||||||
|
|
||||||
* :setting:`SECURE_BROWSER_XSS_FILTER`
|
|
||||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
|
||||||
* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
|
* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
|
||||||
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
|
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
|
||||||
|
@ -422,33 +421,6 @@ setting will be useful.
|
||||||
|
|
||||||
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
|
||||||
.. _x-xss-protection:
|
|
||||||
|
|
||||||
``X-XSS-Protection: 1; mode=block``
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Some browsers have the ability to block content that appears to be an `XSS
|
|
||||||
attack`_. They work by looking for JavaScript content in the GET or POST
|
|
||||||
parameters of a page. If the JavaScript is replayed in the server's response,
|
|
||||||
the page is blocked from rendering and an error page is shown instead.
|
|
||||||
|
|
||||||
The `X-XSS-Protection header`__ is used to control the operation of the
|
|
||||||
XSS filter.
|
|
||||||
|
|
||||||
To enable the XSS filter in the browser, and force it to always block
|
|
||||||
suspected XSS attacks, you can pass the ``X-XSS-Protection: 1; mode=block``
|
|
||||||
header. ``SecurityMiddleware`` will do this for all responses if the
|
|
||||||
:setting:`SECURE_BROWSER_XSS_FILTER` setting is ``True``.
|
|
||||||
|
|
||||||
.. warning::
|
|
||||||
The browser XSS filter is a useful defense measure, but must not be
|
|
||||||
relied upon exclusively. It cannot detect all XSS attacks and not all
|
|
||||||
browsers support the header. Ensure you are still :ref:`validating and
|
|
||||||
sanitizing <cross-site-scripting>` all input to prevent XSS attacks.
|
|
||||||
|
|
||||||
.. _XSS attack: https://en.wikipedia.org/wiki/Cross-site_scripting
|
|
||||||
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
||||||
|
|
||||||
.. _ssl-redirect:
|
.. _ssl-redirect:
|
||||||
|
|
||||||
SSL Redirect
|
SSL Redirect
|
||||||
|
|
|
@ -2262,20 +2262,6 @@ affect them.
|
||||||
startproject <startproject>` creates a unique ``SECRET_KEY`` for
|
startproject <startproject>` creates a unique ``SECRET_KEY`` for
|
||||||
convenience.
|
convenience.
|
||||||
|
|
||||||
.. setting:: SECURE_BROWSER_XSS_FILTER
|
|
||||||
|
|
||||||
``SECURE_BROWSER_XSS_FILTER``
|
|
||||||
-----------------------------
|
|
||||||
|
|
||||||
Default: ``False``
|
|
||||||
|
|
||||||
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets
|
|
||||||
the :ref:`x-xss-protection` header on all responses that do not already have it.
|
|
||||||
|
|
||||||
Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although
|
|
||||||
the setting offers little practical benefit, you may still want to set the
|
|
||||||
header if you support older browsers.
|
|
||||||
|
|
||||||
.. setting:: SECURE_CONTENT_TYPE_NOSNIFF
|
.. setting:: SECURE_CONTENT_TYPE_NOSNIFF
|
||||||
|
|
||||||
``SECURE_CONTENT_TYPE_NOSNIFF``
|
``SECURE_CONTENT_TYPE_NOSNIFF``
|
||||||
|
@ -3636,7 +3622,6 @@ HTTP
|
||||||
* :setting:`MIDDLEWARE`
|
* :setting:`MIDDLEWARE`
|
||||||
* Security
|
* Security
|
||||||
|
|
||||||
* :setting:`SECURE_BROWSER_XSS_FILTER`
|
|
||||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
|
||||||
* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
|
* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
|
||||||
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
|
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
|
||||||
|
|
|
@ -357,6 +357,24 @@ subdomains by setting :setting:`CSRF_COOKIE_DOMAIN` (or
|
||||||
:setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to
|
:setting:`SESSION_COOKIE_DOMAIN` if :setting:`CSRF_USE_SESSIONS` is enabled) to
|
||||||
a value starting with a dot.
|
a value starting with a dot.
|
||||||
|
|
||||||
|
``SecurityMiddleware`` no longer sets the ``X-XSS-Protection`` header
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
The :class:`~django.middleware.security.SecurityMiddleware` no longer sets the
|
||||||
|
``X-XSS-Protection`` header if the ``SECURE_BROWSER_XSS_FILTER`` setting is
|
||||||
|
``True``. The setting is removed.
|
||||||
|
|
||||||
|
Most modern browsers don't honor the ``X-XSS-Protection`` HTTP header. You can
|
||||||
|
use Content-Security-Policy_ without allowing ``'unsafe-inline'`` scripts
|
||||||
|
instead.
|
||||||
|
|
||||||
|
If you want to support legacy browsers and set the header, use this line in a
|
||||||
|
custom middleware::
|
||||||
|
|
||||||
|
response.headers.setdefault('X-XSS-Protection', '1; mode=block')
|
||||||
|
|
||||||
|
.. _Content-Security-Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||||
|
|
||||||
Miscellaneous
|
Miscellaneous
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
|
|
|
@ -175,34 +175,6 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
||||||
"""
|
"""
|
||||||
self.assertNotIn('X-Content-Type-Options', self.process_response().headers)
|
self.assertNotIn('X-Content-Type-Options', self.process_response().headers)
|
||||||
|
|
||||||
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
|
|
||||||
def test_xss_filter_on(self):
|
|
||||||
"""
|
|
||||||
With SECURE_BROWSER_XSS_FILTER set to True, the middleware adds
|
|
||||||
"s-xss-protection: 1; mode=block" header to the response.
|
|
||||||
"""
|
|
||||||
self.assertEqual(
|
|
||||||
self.process_response().headers['X-XSS-Protection'],
|
|
||||||
'1; mode=block',
|
|
||||||
)
|
|
||||||
|
|
||||||
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
|
|
||||||
def test_xss_filter_already_present(self):
|
|
||||||
"""
|
|
||||||
The middleware will not override an "X-XSS-Protection" header
|
|
||||||
already present in the response.
|
|
||||||
"""
|
|
||||||
response = self.process_response(secure=True, headers={"X-XSS-Protection": "foo"})
|
|
||||||
self.assertEqual(response.headers["X-XSS-Protection"], "foo")
|
|
||||||
|
|
||||||
@override_settings(SECURE_BROWSER_XSS_FILTER=False)
|
|
||||||
def test_xss_filter_off(self):
|
|
||||||
"""
|
|
||||||
With SECURE_BROWSER_XSS_FILTER set to False, the middleware does not
|
|
||||||
add an "X-XSS-Protection" header to the response.
|
|
||||||
"""
|
|
||||||
self.assertNotIn('X-XSS-Protection', self.process_response().headers)
|
|
||||||
|
|
||||||
@override_settings(SECURE_SSL_REDIRECT=True)
|
@override_settings(SECURE_SSL_REDIRECT=True)
|
||||||
def test_ssl_redirect_on(self):
|
def test_ssl_redirect_on(self):
|
||||||
"""
|
"""
|
||||||
|
|
Loading…
Reference in New Issue