From 70bea77364f78f0a5298f2d2dee00a626e956774 Mon Sep 17 00:00:00 2001 From: Jordan Haine Date: Tue, 21 Feb 2023 01:02:08 -0500 Subject: [PATCH] Drop deprecated XssProtect middleware --- README.md | 7 ---- security/middleware.py | 79 ------------------------------------------ testing/settings.py | 1 - testing/tests/tests.py | 30 ---------------- 4 files changed, 117 deletions(-) diff --git a/README.md b/README.md index 81b673a..5a972c1 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,6 @@ Pre-Django 1.10, middleware modules can be added to `MIDDLEWARE_CLASSES` list in ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', - 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) @@ -57,7 +56,6 @@ After Django 1.10, middleware modules can be added to `MIDDLEWARE` list in setti ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', - 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) @@ -139,11 +137,6 @@ or minimum configuration. Disable framing of the website, mitigating Clickjacking attacks. Recommended. Optional. - -XssProtectMiddleware -DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_BROWSER_XSS_FILTER setting.
Enforce browser's Cross Site Scripting protection. Recommended. -None. - ## Views diff --git a/security/middleware.py b/security/middleware.py index 3a0b5b6..ab5e2a1 100644 --- a/security/middleware.py +++ b/security/middleware.py @@ -187,85 +187,6 @@ def process_response(self, request, response): return response -class XssProtectMiddleware(BaseMiddleware): - """ - DEPRECATED: Will be removed in future releases. Consider - django.middleware.security.SecurityMiddleware as a replacement for this via - SECURE_BROWSER_XSS_FILTER setting. - - Sends X-XSS-Protection HTTP header that controls Cross-Site Scripting - filter on MSIE. Use XSS_PROTECT option in settings file with the following - values: - - ``sanitize`` enable XSS filter that tries to sanitize requests instead - of blocking (*default*) - - ``on`` enable full XSS filter blocking XSS requests (may `leak - document.referrer `_) - - ``off`` completely disable XSS filter - - **Note:** As of 1.8, Django's `SECURE_BROWSER_XSS_FILTER - `_ - controls the X-XSS-Protection header. - - Reference: - - - `Controlling the XSS Filter - `_ - """ - - OPTIONAL_SETTINGS = ("XSS_PROTECT",) - - OPTIONS = { - "on": "1; mode=block", - "off": "0", - "sanitize": "1", - } - - DEFAULT = "sanitize" - - def __init__(self, get_response=None): - super().__init__(get_response) - warnings.warn( - ( - 'DEPRECATED: The middleware "{name}" will no longer be ' - "supported in future releases of this library. Refer to {url} for " - "an alternative approach with regards to the settings: {settings}" - ).format( - name=self.__class__.__name__, - url=DJANGO_SECURITY_MIDDLEWARE_URL, - settings="SECURE_BROWSER_XSS_FILTER", - ) - ) - - def load_setting(self, setting, value): - if not value: - self.option = self.DEFAULT - return - - value = value.lower() - - if value in self.OPTIONS.keys(): - self.option = value - return - - raise ImproperlyConfigured( - self.__class__.__name__ + " invalid option for XSS_PROTECT." - ) - - def process_response(self, request, response): - """ - Add X-XSS-Protection to the response header. - """ - header = self.OPTIONS[self.option] - response["X-XSS-Protection"] = header - return response - - class ClearSiteDataMiddleware(BaseMiddleware): """ Sends Clear-Site-Data HTTP response header on requests that match diff --git a/testing/settings.py b/testing/settings.py index 670eac1..ce0a287 100644 --- a/testing/settings.py +++ b/testing/settings.py @@ -46,7 +46,6 @@ "security.middleware.ContentSecurityPolicyMiddleware", "security.middleware.StrictTransportSecurityMiddleware", "security.middleware.P3PPolicyMiddleware", - "security.middleware.XssProtectMiddleware", "security.middleware.MandatoryPasswordChangeMiddleware", "security.middleware.NoConfidentialCachingMiddleware", "security.auth_throttling.Middleware", diff --git a/testing/tests/tests.py b/testing/tests/tests.py index c299ce6..f72f370 100644 --- a/testing/tests/tests.py +++ b/testing/tests/tests.py @@ -31,7 +31,6 @@ DoNotTrackMiddleware, SessionExpiryPolicyMiddleware, MandatoryPasswordChangeMiddleware, - XssProtectMiddleware, XFrameOptionsMiddleware, ReferrerPolicyMiddleware, ) @@ -537,35 +536,6 @@ def test_default_xframe_option(self): ) -@override_settings(MIDDLEWARE=("security.middleware.XssProtectMiddleware",)) -class XXssProtectTests(TestCase): - def test_option_set(self): - """ - Verify the HTTP Response Header is set. - """ - response = self.client.get("/accounts/login/") - self.assertNotEqual(response["X-XSS-Protection"], None) - - def test_default_setting(self): - with self.settings(XSS_PROTECT=None): - response = self.client.get("/accounts/login/") - self.assertEqual(response["X-XSS-Protection"], "1") # sanitize - - def test_option_off(self): - with self.settings(XSS_PROTECT="off"): - response = self.client.get("/accounts/login/") - self.assertEqual(response["X-XSS-Protection"], "0") # off - - def test_improper_configuration_raises(self): - xss = XssProtectMiddleware() - self.assertRaises( - ImproperlyConfigured, - xss.load_setting, - "XSS_PROTECT", - "invalid", - ) - - @override_settings(MIDDLEWARE=("security.middleware.ContentNoSniff",)) class ContentNoSniffTests(TestCase): def test_option_set(self):