disable legacy XSS filtering (#17289)

Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-01-24 13:14:26 +01:00 · 2022-01-24 13:14:26 +01:00 · b99c58b6fe
parent d7adbf5a63
commit b99c58b6fe
1 changed files with 1 additions and 1 deletions
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -108,7 +108,7 @@ Rails.application.configure do
    'Server'                 => 'Mastodon',
    'X-Frame-Options'        => 'DENY',
    'X-Content-Type-Options' => 'nosniff',
-    'X-XSS-Protection'       => '1; mode=block',
+    'X-XSS-Protection'       => '0',
  }

  config.x.otp_secret = ENV.fetch('OTP_SECRET')