For which content types is it recommended to set X-XSS-Protection header?

If you decide to use X-XSS-Protection, you should set it for any page capable of running active script content. Non-executable formats like CSS or images are not affected by the header.

Note that SVG images, despite being able to run script code, apparently don't respect the header in Chrome which suggests that it is only applied to HTML documents. Proof of concept:

<?php
header('X-XSS-Protection: 1; mode=block');
header('Content-type: image/svg+xml');
?>
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg">
<?php echo $_GET['foo']; ?>
</svg>

Run it in your browser like this:http://localhost/xss.php?foo=<script>alert(1)</script>

In my tests, the reflected JS from the parameter is executed although the XSS filter is active. But if you change the content-type to text/html, the JS will be properly filtered.

(Also note that the use of the X-XSS-Protection header is controversial and can result in new vulnerabilities which is why Facebook even decided to deactivate the XSS auditor entirely. And be aware that setting the header doesn't replace proper output escaping.)

Tags:

Header

Xss