Re: [CSP3] reflected XSS directive

X-XSS-Protection 
<https://owasp.org/www-project-secure-headers/#x-xss-protection> should 
be zeroed out, leaving it in block mode makes your websites less secure.

Here is a article to that effect. This is from a bug bounty hunter 
taking advantage of the auditor, finding XSS where none exists other 
than the flaws of the auditor.

https://infosecwriteups.com/xss-auditor-the-protector-of-unprotected-f900a5e15b7b

- Jim Manico

On 8/29/22 4:44 AM, Harel Klopfer wrote:
>
> Hello
>
> I saw at the OWASP the reflected XSS directive for the CSP header 
> (site: 
> https://owasp.org/www-project-secure-headers/#content-security-policy),
>
> but I couldn’t find this directive at your site.
>
> *Is this directive still in use?*
>
> In our company, we want to better implement the CSP header,
>
> but we don’t want to cancel the X-XSS-Protection 
> <https://owasp.org/www-project-secure-headers/#x-xss-protection> 
> header from older browsers compatibility reasons.
>
> We use the X-XSS-Protection 
> <https://owasp.org/www-project-secure-headers/#x-xss-protection> 
> header as follow: 1; mode=block.
>
> *Is it possible using both headers together without them conflicting?*
>
> *If the headers do conflict, which policy is stronger?*
>
>
> This message (including any attachments) is intended only for the use 
> of the individual or entity to which it is addressed and may contain 
> materials protected by copyright or information that is non-public, 
> proprietary, privileged, confidential, and exempt from disclosure 
> under applicable law or agreement. If you are not the intended 
> recipient, you are hereby notified that any use, dissemination, 
> distribution, or copying of this communication is strictly prohibited. 
> If you have received this communication by error, notify the sender 
> immediately and delete this message immediately. Thank you.