Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

X-XSS-Protection vs CSP

As far as I understand, CSP can be used for all the same things as X-XSS-Protection and more. If you are using CSP, is there any good reason to use X-XSS-Protection as well?

like image 365
twiz Avatar asked Jul 14 '15 17:07

twiz


People also ask

Does CSP protect against XSS?

Content Security Policy (CSP) is a W3C standard introduced to prevent Cross-Site Scripting (XSS), clickjacking and other attacks as the result of code injection in a web page. It is a computer security standard recommended by W3C Working Group which is supported by almost all major modern web browsers.

Is X-XSS-protection deprecated?

In the past Zimbra recommended to set the X-XSS-Protection HTTP response header. This header used to enable additional protection against cross-site scripting (XSS) attacks in some web browsers. However this header is now deprecated and support is removed from most browsers.

What is CSP in XSS?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Should I enable CSP?

When to Use CSP. In general, complex web applications are more sensitive to XSS, making CSP important to use. Use CSP for any application that manages sensitive data, such as administrative user interfaces, device management consoles, or any products hosting files, documents or messages created by users.


1 Answers

is there any good reason to use X-XSS-Protection as well?

With some doubts (see Kevin's comment below) the answer is probably yes.

X-Xss-Protection activates a heuristic, reflected xss detection feature. Reflected xss comes in the form of parameters, which makes it easy to determine the scope of the potential attack.

Browsers execute HTML. By definition browsers cannot provide any guarantees about data safety of server generated HTML code. It is impossible to determine trusted vs malicious javascript... unless you use CSP. CSP allows you to choose what javascript the browser executes.

An enforced CSP that does not allow inline javascript, eval, or 3rd party sources is pretty solid and x-xss-protection would provide little benefit to most of your users.

If your users' browsers support CSP that is.

x-xss-protection has been supported by IE for many years. So in the case that someone is using IE < 12, CSP is useless where x-xss-protection can help.

So, yes. Both. Always. The internet would be a much safer world if every website deployed both.

Consensus has changed since this was originally written. It is now advised to explicitly disable the feature with X-Xss-Protection: 0.

I haven't dug in too far, but I haven't found a site that uses CSP but not x-xss-protection

for i in twitter.com vine.co github.com
do
   echo "$i"
   curl -Is "https://$i" | grep -iE "(x-xss-protection|content-security-policy)"
done
like image 62
oreoshake Avatar answered Oct 01 '22 08:10

oreoshake