Drop deprecated XssProtect middleware

README.md

@@ -47,7 +47,6 @@ Pre-Django 1.10, middleware modules can be added to `MIDDLEWARE_CLASSES` list in
         ...
         'security.middleware.DoNotTrackMiddleware',
         'security.middleware.ContentNoSniff',
-        'security.middleware.XssProtectMiddleware',
         'security.middleware.XFrameOptionsMiddleware',
     )
 
@@ -57,7 +56,6 @@ After Django 1.10, middleware modules can be added to `MIDDLEWARE` list in setti
         ...
         'security.middleware.DoNotTrackMiddleware',
         'security.middleware.ContentNoSniff',
-        'security.middleware.XssProtectMiddleware',
         'security.middleware.XFrameOptionsMiddleware',
     )
 
@@ -139,11 +137,6 @@ or minimum configuration.
 <td>Disable framing of the website, mitigating Clickjacking attacks. <em>Recommended.</em>
 <td>Optional.
 
-<tr>
-<td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.XssProtectMiddleware">XssProtectMiddleware</a>
-<td><b>DEPRECATED: </b>Will be removed in future releases, consider <a href="https://docs.djangoproject.com/en/1.11/ref/middleware/#django.middleware.security.SecurityMiddleware">django.middleware.security.SecurityMiddleware</a> via <i>SECURE_BROWSER_XSS_FILTER</i> setting.<br/>Enforce browser's Cross Site Scripting protection. <em>Recommended.</em>
-<td>None.
-
 </table>
 
 ## Views

security/middleware.py

@@ -187,85 +187,6 @@ def process_response(self, request, response):
         return response
 
 
-class XssProtectMiddleware(BaseMiddleware):
-    """
-    DEPRECATED: Will be removed in future releases. Consider
-    django.middleware.security.SecurityMiddleware as a replacement for this via
-    SECURE_BROWSER_XSS_FILTER setting.
-
-    Sends X-XSS-Protection HTTP header that controls Cross-Site Scripting
-    filter on MSIE. Use XSS_PROTECT option in settings file with the following
-    values:
-
-      ``sanitize``   enable XSS filter that tries to sanitize requests instead
-      of blocking (*default*)
-
-      ``on``         enable full XSS filter blocking XSS requests (may `leak
-      document.referrer <http://homakov.blogspot.com/2013/02/hacking-with-xss-
-      auditor.html>`_)
-
-      ``off``        completely disable XSS filter
-
-    **Note:** As of 1.8, Django's `SECURE_BROWSER_XSS_FILTER
-    <https://docs.djangoproject.com/en/1.8/ref/settings/#secure-browser-xss-filter>`_
-    controls the X-XSS-Protection header.
-
-    Reference:
-
-    - `Controlling the XSS Filter
-      <http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-
-      internet-explorer-xss-filter-with-the-x-xss-protection-http-
-      header.aspx>`_
-    """
-
-    OPTIONAL_SETTINGS = ("XSS_PROTECT",)
-
-    OPTIONS = {
-        "on": "1; mode=block",
-        "off": "0",
-        "sanitize": "1",
-    }
-
-    DEFAULT = "sanitize"
-
-    def __init__(self, get_response=None):
-        super().__init__(get_response)
-        warnings.warn(
-            (
-                'DEPRECATED: The middleware "{name}" will no longer be '
-                "supported in future releases of this library. Refer to {url} for "
-                "an alternative approach with regards to the settings: {settings}"
-            ).format(
-                name=self.__class__.__name__,
-                url=DJANGO_SECURITY_MIDDLEWARE_URL,
-                settings="SECURE_BROWSER_XSS_FILTER",
-            )
-        )
-
-    def load_setting(self, setting, value):
-        if not value:
-            self.option = self.DEFAULT
-            return
-
-        value = value.lower()
-
-        if value in self.OPTIONS.keys():
-            self.option = value
-            return
-
-        raise ImproperlyConfigured(
-            self.__class__.__name__ + " invalid option for XSS_PROTECT."
-        )
-
-    def process_response(self, request, response):
-        """
-        Add X-XSS-Protection to the response header.
-        """
-        header = self.OPTIONS[self.option]
-        response["X-XSS-Protection"] = header
-        return response
-
-
 class ClearSiteDataMiddleware(BaseMiddleware):
     """
     Sends Clear-Site-Data HTTP response header on requests that match

testing/settings.py

@@ -46,7 +46,6 @@
     "security.middleware.ContentSecurityPolicyMiddleware",
     "security.middleware.StrictTransportSecurityMiddleware",
     "security.middleware.P3PPolicyMiddleware",
-    "security.middleware.XssProtectMiddleware",
     "security.middleware.MandatoryPasswordChangeMiddleware",
     "security.middleware.NoConfidentialCachingMiddleware",
     "security.auth_throttling.Middleware",

testing/tests/tests.py

@@ -31,7 +31,6 @@
     DoNotTrackMiddleware,
     SessionExpiryPolicyMiddleware,
     MandatoryPasswordChangeMiddleware,
-    XssProtectMiddleware,
     XFrameOptionsMiddleware,
     ReferrerPolicyMiddleware,
 )
@@ -537,35 +536,6 @@ def test_default_xframe_option(self):
         )
 
 
-@override_settings(MIDDLEWARE=("security.middleware.XssProtectMiddleware",))
-class XXssProtectTests(TestCase):
-    def test_option_set(self):
-        """
-        Verify the HTTP Response Header is set.
-        """
-        response = self.client.get("/accounts/login/")
-        self.assertNotEqual(response["X-XSS-Protection"], None)
-
-    def test_default_setting(self):
-        with self.settings(XSS_PROTECT=None):
-            response = self.client.get("/accounts/login/")
-            self.assertEqual(response["X-XSS-Protection"], "1")  # sanitize
-
-    def test_option_off(self):
-        with self.settings(XSS_PROTECT="off"):
-            response = self.client.get("/accounts/login/")
-            self.assertEqual(response["X-XSS-Protection"], "0")  # off
-
-    def test_improper_configuration_raises(self):
-        xss = XssProtectMiddleware()
-        self.assertRaises(
-            ImproperlyConfigured,
-            xss.load_setting,
-            "XSS_PROTECT",
-            "invalid",
-        )
-
-
 @override_settings(MIDDLEWARE=("security.middleware.ContentNoSniff",))
 class ContentNoSniffTests(TestCase):
     def test_option_set(self):