From b99c58b6fe85eea32e9c465dc636f7f319cfefec Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@protonmail.com>
Date: Mon, 24 Jan 2022 13:14:26 +0100
Subject: [PATCH] disable legacy XSS filtering (#17289)

Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
---
 config/environments/production.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index aaad2449f..2fca4682a 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -108,7 +108,7 @@ Rails.application.configure do
     'Server'                 => 'Mastodon',
     'X-Frame-Options'        => 'DENY',
     'X-Content-Type-Options' => 'nosniff',
-    'X-XSS-Protection'       => '1; mode=block',
+    'X-XSS-Protection'       => '0',
   }
 
   config.x.otp_secret = ENV.fetch('OTP_SECRET')