diff options
| author | Florian Bruhin <me@the-compiler.org> | 2019-09-21 14:23:01 +0200 |
|---|---|---|
| committer | Florian Bruhin <me@the-compiler.org> | 2019-09-21 14:25:07 +0200 |
| commit | 717877596c4a00a4c54843c74b454894124613a0 (patch) | |
| tree | 458692c35efe8bcbec9bace2e3efaa96741aa949 | |
| parent | 7370f61f5aac746743dafab538c37f109a09ef17 (diff) | |
| download | qutebrowser-717877596c4a00a4c54843c74b454894124613a0.tar.gz qutebrowser-717877596c4a00a4c54843c74b454894124613a0.zip | |
Disable XSS auditing by default
This follows a similar change in Chromium:
https://www.chromium.org/developers/design-documents/xss-auditor
https://bugs.chromium.org/p/chromium/issues/detail?id=968591
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/TCpThW81EAAJ
https://www.chromestatus.com/feature/5021976655560704
From the bug:
TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.
| -rw-r--r-- | doc/changelog.asciidoc | 4 | ||||
| -rw-r--r-- | doc/help/settings.asciidoc | 3 | ||||
| -rw-r--r-- | qutebrowser/config/configdata.yml | 6 |
3 files changed, 11 insertions, 2 deletions
diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc index 52234ac0c..9ef91d295 100644 --- a/doc/changelog.asciidoc +++ b/doc/changelog.asciidoc @@ -48,6 +48,10 @@ Changed - Hosts are now additionally looked up including their ports in netrc files. - With Qt 5.10 or newer, qutebrowser now doesn't force software rendering with Nouveau drivers anymore. However, QtWebEngine/Chromium still do so. +- The XSS Auditor is now disabled by default (`content.xss_auditing` = + `false`). This reflects a similar change in Chromium, see + their https://www.chromium.org/developers/design-documents/xss-auditor[XSS + Auditor Design Document] for details. Fixed ~~~~~ diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc index 378aba5ec..fe86b577b 100644 --- a/doc/help/settings.asciidoc +++ b/doc/help/settings.asciidoc @@ -2249,12 +2249,13 @@ Default: +pass:[false]+ === content.xss_auditing Monitor load requests for cross-site scripting attempts. Suspicious scripts will be blocked and reported in the inspector's JavaScript console. +Note that bypasses for the XSS auditor are widely known and it can be abused for cross-site info leaks in some scenarios, see: https://www.chromium.org/developers/design-documents/xss-auditor This setting supports URL patterns. Type: <<types,Bool>> -Default: +pass:[true]+ +Default: +pass:[false]+ [[downloads.location.directory]] === downloads.location.directory diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml index 65bc168ad..f48cac189 100644 --- a/qutebrowser/config/configdata.yml +++ b/qutebrowser/config/configdata.yml @@ -780,7 +780,7 @@ content.webrtc_ip_handling_policy: content.xss_auditing: type: Bool - default: true + default: false supports_pattern: true desc: >- Monitor load requests for cross-site scripting attempts. @@ -788,6 +788,10 @@ content.xss_auditing: Suspicious scripts will be blocked and reported in the inspector's JavaScript console. + Note that bypasses for the XSS auditor are widely known and it can be + abused for cross-site info leaks in some scenarios, see: + https://www.chromium.org/developers/design-documents/xss-auditor + content.mute: default: false type: Bool |