[scan.nextcloud.com] X-XSS-Protection does not support "report" property

[alesnav]

Hi there!

I tried your web scanner, but I get "A" instead of "A+" because it seems that your scanner is not parsing well the X-XSS-Protection HTTP header.

It seems that it wants "1; mode=block;" as value for X-XSS-Protection HTTP header, but does not understand when the attack attempts are reported to some webpage, for example, report-uri.com.

Can you please check if the parser supports it?

My complete header is:

x-xss-protection: 1; mode=block; report="https://XXXXXX.report-uri.com/r/d/xss/enforce"

Thanks, Best regards

[alesnav]

I would help with this issue if source code of scan.nextcloud.com were public, but I cannot find it...