Added X-XSS-Protection header support

2024-11-28 08:10:45 +00:00 · 2019-12-31 02:36:17 -05:00 · 2019-12-31 02:36:17 -05:00 · 286c2d5acc
parent 24b74796f4
commit 286c2d5acc
3 changed files with 25 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -80,6 +80,12 @@ WIP section, refer to below:
 			"descriptionmsg": "citizen-config-enabledenyxframeoptions",
 			"public": true
 		},
+		"EnableXXSSProtection": {
+			"value": false,
+			"description": "Enable or disable the X-XSS-Protection header",
+			"descriptionmsg": "citizen-config-enablexxssprotection",
+			"public": true
+		},
 		"EnableFeaturePolicy": {
 			"value": false,
 			"description": "Enable or disable Feature Policy",
--- a/includes/SkinCitizen.php
+++ b/includes/SkinCitizen.php
@ -44,6 +44,9 @@ class SkinCitizen extends SkinTemplate {
 		// Deny X-Frame-Options
 		$this->addXFrameOptions();

+		// X-XSS-Protection
+		$this->addXXSSProtection();
+		
 		// Feature policy
 		$this->addFeaturePolicy();

@ -165,6 +168,16 @@ class SkinCitizen extends SkinTemplate {
 		}
 	}

+
+	/**
+	 * Adds the X-XSS-Protection header if set in 'CitizenEnableXXSSProtection'
+	 */
+	private function addXXSSProtection() {
+		if ( $this->getConfigValue( 'CitizenEnableXXSSProtection' ) === true ) {
+			$this->out->getRequest()->response()->header( 'X-XSS-Protection: 1; mode=block' );
+		}
+	}
+
 	/**
 	 * Adds the Feature policy header to the response if enabled in 'CitizenFeaturePolicyDirective'
 	 */
--- a/skin.json
+++ b/skin.json
@ -81,6 +81,12 @@
 			"descriptionmsg": "citizen-config-enabledenyxframeoptions",
 			"public": true
 		},
+		"EnableXXSSProtection": {
+			"value": false,
+			"description": "Enable or disable the X-XSS-Protection header",
+			"descriptionmsg": "citizen-config-enablexxssprotection",
+			"public": true
+		},
 		"EnableFeaturePolicy": {
 			"value": false,
 			"description": "Enable or disable Feature Policy",