Import X-XSS-Protection middleware

This imports the [x-xss-protection package][0] into this repo as part of my effort to make Helmet a monorepo. You can find its prior history in the old repo. Similar to: * df561bb which imported `helmet-csp` * 936cd27 which imported `referrer-policy` * 141f131 which imported `crossdomain` * ff12fb7 which imported `dont-sniff-mimetype` * 2b64d11 which imported `hide-powered-by` * 7906601 which imported `frameguard` * d03c555 which imported `expect-ct` * e933c28 which imported `dns-prefetch-control` * 13b496f which imported `ienoopen` [0]: https://github.com/helmetjs/x-xss-protection
helmetjs · Jul 10, 2020 · f98ff72 · f98ff72
1 parent e1746c1
commit f98ff72
Show file tree

Hide file tree

Showing 11 changed files with 106 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@
   - There is now a default set of directives if none are supplied
   - Duplicate keys now throw an error
   - This middleware is more lenient
+- `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
 
 ### Removed
 
@@ -30,6 +31,7 @@
   - Removed the `disableAndroid` option
 - `helmet.frameguard`:
   - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
+- `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
 
 ## Unreleased
 

diff --git a/index.ts b/index.ts
@@ -8,6 +8,7 @@ import xDownloadOptions from "./middlewares/x-download-options";
 import xFrameOptions from "./middlewares/x-frame-options";
 import xPermittedCrossDomainPolicies from "./middlewares/x-permitted-cross-domain-policies";
 import xPoweredBy from "./middlewares/x-powered-by";
+import xXssProtection from "./middlewares/x-xss-protection";
 
 interface HelmetOptions {
   contentSecurityPolicy?: any;
@@ -131,6 +132,6 @@ helmet.ieNoOpen = xDownloadOptions;
 helmet.noSniff = xContentTypeOptions;
 helmet.permittedCrossDomainPolicies = xPermittedCrossDomainPolicies;
 helmet.referrerPolicy = referrerPolicy;
-helmet.xssFilter = require("x-xss-protection");
+helmet.xssFilter = xXssProtection;
 
 export = helmet;
diff --git a/middlewares/x-xss-protection/CHANGELOG.md b/middlewares/x-xss-protection/CHANGELOG.md
@@ -0,0 +1,37 @@
+# Changelog
+
+## 2.0.0 - Unreleased
+
+### Changed
+
+- XSS filtering is now disabled by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
+
+### Removed
+
+- No longer accepts options. Read ["How to disable blocking with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
+- Dropped support for old Node versions. Node 10+ is now required
+
+## 1.3.0 - 2019-09-01
+
+### Added
+
+- Added `mode: null` to disable `mode=block`
+
+### Changed
+
+- Minor performance improvements with Internet Explorer <9 detection
+
+## 1.2.0 - 2019-06-15
+
+### Added
+
+- Added TypeScript type definitions. See [#8](https://github.com/helmetjs/x-xss-protection/pull/8)
+- Created a changelog
+- Added some additional package metadata
+
+### Changed
+
+- Updated documentation
+- Excluded some files from npm package
+
+Changes in versions 1.1.0 and below can be found in [Helmet's changelog](https://github.com/helmetjs/helmet/blob/master/CHANGELOG.md).
diff --git a/middlewares/x-xss-protection/README.md b/middlewares/x-xss-protection/README.md
@@ -0,0 +1,24 @@
+# X-XSS-Protection middleware
+
+The `X-XSS-Protection` HTTP header aimed to offer a basic protection against cross-site scripting (XSS) attacks. _However, you probably should disable it_, which is what this middleware does.
+
+Many browsers have chosen to remove it because of the unintended security issues it creates. Generally, you should protect against XSS with sanitization and a Content Security Policy. For more, read [this GitHub issue](https://github.com/helmetjs/helmet/issues/230).
+
+This middleware sets the `X-XSS-Protection` header to `0`. For example:
+
+```javascript
+const xXssProtection = require("x-xss-protection");
+
+// Set "X-XSS-Protection: 0"
+app.use(xXssProtection());
+```
+
+If you truly need the legacy behavior, you can write your own simple middleware and avoid installing this module. For example:
+
+```javascript
+// NOTE: This is probably insecure!
+app.use((req, res, next) => {
+  res.setHeader("X-XSS-Protection", "1; mode=block");
+  next();
+});
+```
diff --git a/middlewares/x-xss-protection/index.ts b/middlewares/x-xss-protection/index.ts
@@ -0,0 +1,17 @@
+import { IncomingMessage, ServerResponse } from "http";
+
+function xXssProtectionMiddleware(
+  _req: IncomingMessage,
+  res: ServerResponse,
+  next: () => void
+) {
+  res.setHeader("X-XSS-Protection", "0");
+  next();
+}
+
+function xXssProtection() {
+  return xXssProtectionMiddleware;
+}
+
+module.exports = xXssProtection;
+export default xXssProtection;
diff --git a/middlewares/x-xss-protection/package-files.json b/middlewares/x-xss-protection/package-files.json
@@ -0,0 +1 @@
+["index.js", "index.d.ts"]
diff --git a/middlewares/x-xss-protection/package-overrides.json b/middlewares/x-xss-protection/package-overrides.json
@@ -0,0 +1,7 @@
+{
+  "name": "x-xss-protection",
+  "description": "Middleware to disable the X-XSS-Protection header",
+  "version": "1.3.0",
+  "keywords": ["express", "security", "x-xss-protection"],
+  "homepage": "https://helmetjs.github.io/docs/xss-filter/"
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -46,11 +46,11 @@
     "dist/middlewares/x-download-options/index.js",
     "dist/middlewares/x-frame-options/index.js",
     "dist/middlewares/x-permitted-cross-domain-policies/index.js",
-    "dist/middlewares/x-powered-by/index.js"
+    "dist/middlewares/x-powered-by/index.js",
+    "dist/middlewares/x-xss-protection/index.js"
   ],
   "dependencies": {
-    "hsts": "2.2.0",
-    "x-xss-protection": "1.3.0"
+    "hsts": "2.2.0"
   },
   "devDependencies": {
     "@types/connect": "^3.4.33",

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -9,6 +9,7 @@ import xDowloadOptions from "../middlewares/x-download-options";
 import xFrameOptions from "../middlewares/x-frame-options";
 import xPermittedCrossDomainPolicies from "../middlewares/x-permitted-cross-domain-policies";
 import xPoweredBy from "../middlewares/x-powered-by";
+import xXssProtection from "../middlewares/x-xss-protection";
 
 describe("helmet", function () {
   describe("module aliases", function () {
@@ -57,9 +58,8 @@ describe("helmet", function () {
       expect(helmet.referrerPolicy.name).toBe(referrerPolicy.name);
     });
 
-    it('aliases "x-xss-protection"', function () {
-      const pkg = require("x-xss-protection");
-      expect(helmet.xssFilter).toBe(pkg);
+    it("aliases the X-XSS-Protection middleware to helmet.xssFilter", function () {
+      expect(helmet.xssFilter.name).toBe(xXssProtection.name);
     });
   });
 

diff --git a/test/x-xss-protection.test.ts b/test/x-xss-protection.test.ts
@@ -0,0 +1,10 @@
+import { check } from "./helpers";
+import xXssProtection from "../middlewares/x-xss-protection";
+
+describe("X-XSS-Protection middleware", () => {
+  it('sets "X-XSS-Protection: 0"', async () => {
+    await check(xXssProtection(), {
+      "x-xss-protection": "0",
+    });
+  });
+});