fix(security): remove obsolete X-XSS-Protection header support#1309
Merged
JohnVillalovos merged 1 commit intodevelopfrom Apr 5, 2026
Merged
fix(security): remove obsolete X-XSS-Protection header support#1309JohnVillalovos merged 1 commit intodevelopfrom
JohnVillalovos merged 1 commit intodevelopfrom
Conversation
Remove the security.x-xss config key and X-XSS-Protection header. This header is obsolete — the XSS Auditor it controlled has been removed from all modern browsers, and in some cases it could be exploited to introduce vulnerabilities. The key is registered in DeprecatedConfigKeys so existing config files produce a helpful deprecation message instead of an unknown key warning.
Contributor
There was a problem hiding this comment.
Pull request overview
Removes support for the obsolete X-XSS-Protection security header and its associated configuration key, while preserving a clear deprecation path so existing config files emit a helpful “removed key” message instead of “unknown key”.
Changes:
- Stop sending the
X-XSS-Protectionheader from the main page response. - Remove the
security.x-xssconfig key from the config schema, docs, and config templates. - Register
security.x-xss(and its legacy form) inDeprecatedConfigKeys, and add unit tests for deprecation lookups.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Infrastructure/Config/DeprecatedConfigKeysTest.php | Adds coverage for deprecated-key reason lookups and key normalization invariants |
| Pages/Page.php | Removes the X-XSS-Protection header emission |
| lib/Config/DeprecatedConfigKeys.php | Registers removed security.x-xss keys so config validation logs a deprecation message |
| lib/Config/ConfigKeys.php | Removes the SECURITY_X_XSS config definition from the schema |
| docs/source/ADVANCED-CONFIGURATION.rst | Deletes documentation for the removed security setting |
| config/config.dist.php | Removes the x-xss default from the distributed config template |
| .env.example | Removes the obsolete env var example for LB_SECURITY_X_XSS |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the security.x-xss config key and X-XSS-Protection header. This header is obsolete — the XSS Auditor it controlled has been removed from all modern browsers, and in some cases it could be exploited to introduce vulnerabilities.
The key is registered in DeprecatedConfigKeys so existing config files produce a helpful deprecation message instead of an unknown key warning.