Did XSS reach its end-of-life with the introduction of the HTTP X-XSS-Protection header?

Did XSS reach its end-of-life with the introduction of the HTTP X-XSS-Protection header?

No. X-XSS-Protection is only used to enable or disable the inbuilt filtering[*] - which is generally enabled by default anyways.

So a more fitting question would be if XSS reached its end-of-life with browser filters.

But again, the answer is no. XSS is still a danger, because of three reasons:

  • Persistent XSS is not affected by browser filtering at all, as the browser has no way of knowing what is user input and what isn't.
  • Some browsers do not have filters against XSS, for example Firefox. XSS vulnerabilities are introduced server-side and web developers should not rely on browser vendors defending against them.
  • Bypassing of browser filters: XSS is context sensitive, which makes it very difficult to defend against without knowing the context (which is also why XSS should be defended when outputting data, not via some generic input filter).

The bypassing can basically happen because of two reasons:

  1. There is a bug in the filter.
  2. The user input is echoed in a location where filtering is not practical. One example would be <script>[userinput]</script>.

[*] As the header is not defined in any RFC, it is difficult to say how browsers will react. For example, Chrome 51 will disable its filter if the header is set to 0, but it will not re-enable the filter in case the user disabled it if 1 is set. Other browsers may behave different.

Which could be as simple as "We don't support browsers X, X and X and versions X and lower.".

It's really not that simple. Especially large organizations are notoriously bad at updating. Depending on your website, you can't just say that you don't support browsers X.

Secondly, what (popular) browsers implemented this security feature, is it enabled by default, and since what version or on what date was that version released?

X-XSS-Protection is supported by IE, Chrome, and Safari.

Chrome had an XSS filter since 2010 (Chrome 4). It was disabled by default in the same year, and then re-enabled in Chrome 8.

IE had an XSS filter since 2008 (IE 8).

Firefox doesn't have a filter, the NoScript plugin does though.

Thirdly, are there known bypasses of that browsers XSS filter?

Yes. Of course. There are more. Most depend on some specific situation (eg input is echoed in two locations). The IE8 filter actually introduced an XSS vulnerablity, even into sites that did not contain one.