[Bug]: Setup check for `X-XSS-Protection` recommendation is deprecated

[jbouter]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

The Nextcloud administration page shows the following warning:

The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

However, the X-XSS-Protection header is deprecated. OWASP recommends you remove the header from your webserver

It shows the following warning when the header is used:

Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.

Steps to reproduce

1. Log into a Nextcloud instance as admin
2. Navigate towards the Administration > Overview page
3. Observe the recommendation of Nextcloud to set the X-XSS-Protection header

Expected behavior

Do not show this recommendation, and possibly advice users to unset the HTTP header in order to inform them of its deprecation.

[szaimen]

Hi, which nc version?

[jbouter]

Hi @szaimen! Version is 25.0.4

[kesselb]

Related: https://github.com/nextcloud/server/issues/34748

[aentwist]

I am just getting set up and am already unsetting it in my web server layer. So for me the recommendation to add it back is just obnoxious.

Instead of setting it to 0, it should simply not be set.

This is bending this issue a little bit. Remove the whole thing instead of just the warning. I wouldn't remove the in-your-face part until the underlying problem is fixed.

---

Adding the MDN docs to this ~

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Warning: Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites.

---

Non-comprehensive list for removal

• [ ] .htaccess
• [ ] docs NGINX example configs
• [ ] JS warning
• [ ] dav-related
• [ ] addSecurityHeaders
• [ ] test-related

And also

• [ ] verify the CSP is "strong enough"

---

See also

• Nothing supports it except Safari
• But actually Safari doesn't either

[magikmw]

Still relevant for v26.0.4

[fa-ve]

Still relevant for: v27.1.3

[psychedelicu]

Still relevant for v28.0.5.1 :)

[CoLuxe]

And still for v29.0.1

Nextcloud still set this header automatically (See: Nextcloud Documentation ) and show the warning if you overwrite it with your webserver. Its deprecated and Nextcloud should not set this header.

[Sabering1]

Still relevant

[Flo354]

Issue is still present in version 30. According to this page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Warning: Even though this feature can protect users of older web browsers that don't support [CSP](https://developer.mozilla.org/en-US/docs/Glossary/CSP), in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites.

When will it be removed?

[iasdeoupxe]

When will it be removed?

As the issue got created 2 years ago probably a community PR is required to get rid of this, seems there is no real interest / priority from Nextcloud side to solve this so far. Alternative could be to "upvote" the initial description to show how many users are affected.

Looks ownCloud handled that already a few years ago: https://owncloud.com/changelog/server/#changelog-for-owncloud-core-1070-2021-03-26

@jbouter There is a typo X-XXS-Protection in the issue title which should be X-XSS-Protection

[invario]

https://github.com/OWASP/CheatSheetSeries/issues/376#issuecomment-602663932

Ariel,

My name is Jim I'm the project lead and chief editor for the cheatsheet project. I'd like to make the call. I've been studying this issue for a while and it's dangerous to set this header. It makes sites that are not vulnerable to XSS, vulnerable.

Scott Helme's site does not evaluate header values, it just checks if they are present. The grades it gives are highly inaccurate.

So let's change these recommendations. We have enough to make the call.

Developers need to either remove the header or set it to zero, I think the debate is over. There is NO good reason to set this header to blocking mode.

Respectfully, Jim Manico Cheatsheet Project Lead

Bold/emphasis added by me. Is there a reason this is still lingering around in the various locations listed above in this post? https://github.com/nextcloud/server/issues/37154#issuecomment-1478886601

I also searched the repo for unsafe-inline (which is generally suggested to not be used in the CSP) and noticed that it is being used throughout by some parts of NC, which is why I was hesitant to even attempt to touch this X-XSS-Protection deal, but it seems based on the above comment that the X-XSS-Protection header just really, really shouldn't be used anymore, no matter what, even if unsafe-inline is being used.

I'm going to start working on just removing it and hopefully I'll have a PR up some time in the not so distant future.

[iasdeoupxe]

Looks a documentation PR is there since some years as well: nextcloud/documentation#9188

[RyuKay24]

Is there any workaround to disable the warning on the admin panel for now?

[iasdeoupxe]

Don't think so, any workaround would AFAICT require modification of core files which in turn would hide this message but would cause a new integrity check failure message.

[invario]

My pull request #53476 is pending. Which removes the messages and checks. Feel free to give it a test.

[iasdeoupxe]

Looks another pending PR with a different approach by @MichaIng in #53711

[MichaIng]

Yeah, coincidence. After sleeping a night over it, I think @invario's approach makes more sense. It is not worth the hassle to keep the check at all. Better people forget about this header. Also from security perspective, my approach is not really better, as it does not tell admin to change to the safer value (or remove the header) either, but still keeps the code for the check etc.

If we would want to tell admins to apply safest settings, we would need to check for either no header or value "0". But this will trigger a lot of tickets/topics of people asking how to do it, annoying both sides, and this is simply not worth it, IMO. The previous 1; mode=block value is not that bad either. As far as I understand, the side-channel attacks are only possible if the website can be embedded in an iframe. But Nextcloud sets/checks for X-Frame-Options SAMEORIGIN and sets CSP frame-ancestors 'self';, which prevents this on external sites. And it affects only Chromium 77 from 2019 and older, Firefox never supported XSS filtering, IE is not supported by Nextcloud since a while. ... no point to open this can of worms.

[iasdeoupxe]

Plus: There are some more relevant security headers these days which are not getting checked at all, one could argue that it is not in the responsibility of a web application to give such guidance at all (Nextcloud / ownCloud are the only one i'm aware of which are doing such suggestions).

[MichaIng]

Which ones do you mean in particular? Note that CSP is set be each individual Nextcloud page in PHP, the way it should be, so this is not something which can be set by the admin, without breaking things.

[iasdeoupxe]

Yes, CSP is a thing for the web app AFAICT as it needs web app knowledge to prevent breakage. 👍

But there are some more for example not checked like e.g.: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#permissions-policy-formerly-feature-policy

(Ah, Nextcloud is setting the "old" one feature-policy instead it seems: #22792 and this didn't needed a setup check).

Also not sure about this one:

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#cross-origin-embedder-policy-coep

But for now focusing on getting rid of X-XSS-Protection should be fine 👍

[MichaIng]

Also Permissions-Policy is something that is better generated by the backend. In fact Feature-Policy is already, but it needs to be migrated. There was a start done working on this, but never finished: #23825

COOP, COEP, CORP, and in case CORS on needed remote resources, would be indeed great to have consequently implemented. Some apps will surely depend on cross-origin resources, and they would need to use CORS headers consequently for this to work. I just set this on my instance (Apache2), so far everything works fine:

Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"

• So all resources declare that they are only allowed to be read from documents of the same origin.
• All embedded resources must set the CORP header, which we just did, or CORS.
• And documents from other origins always open in a new browser context group. The other way round, also our documents declare that they must be opened in a new browser context group when accessed from documents of another origin. But that is redundant, since they also declare that they must not be read at all in that case.
• Whether/from which other origins resources are permitted is controlled by CSP.