The Death of the X-XSS-Protection Header: A Web Security Post-Mortem
摘要
In this article we report on a post-mortem analysis of the X-XSS-Protection header. Our analysis used data from header usage in the wild at the time of its death as judged by the Google Chrome deprecation notice. We processed roughly 2.6 billion HTTP responses and classified them not just by validity or invalidity but by the reasons for each. We created a set of regex-driven attributions (RDAs) to support robust classification. We found great security posture with minimum levels of disablement and a strong preference for additional protections. Unfortunately, we also discovered that misconfigurations often resulted in dangerous situations with potentially less than the expressly desired level of security. Our results have implications for the potential reconsideration of what a browser should consider a fail-safe design, the opportunity to design new mechanisms with security configuration gradients, and motivation that solving just a few errors can make an enormous impact at internet scale. Finally, this article motivates the security community to consider conducting additional post-mortem analysis in a variety of contexts besides the deprecated HTTP header presented here.