X-XSS-Protection

这篇翻译不完整。请帮忙从英语翻译这篇文章

HTTP X-XSS-Protection 响应头是Internet Explorer,Chrome和Safari的一个功能,当检测到反映的跨站点脚本 (XSS)时,停止页面加载。虽然这些保护在现代浏览器中基本上是不必要的,当网站实施一个强大Content-Security-Policy时, 禁用内联的  JavaScript ('unsafe-inline'), 他们仍然可以为尚不支持 CSP 的旧版浏览器的用户提供保护。

Header type Response header
Forbidden header name no

Syntax

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1;mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI>  (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

Example

Block pages from loading when they detect reflected XSS attacks:

X-XSS-Protection: 1;mode=block

PHP

header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 
</IfModule>

Specifications

Not part of any specifications or drafts.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
X-XSS-Protection(Yes)(Yes)No support8.0(Yes)(Yes)No support
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
X-XSS-Protection(Yes)(Yes)(Yes)No support?(Yes)(Yes)

See also

文档标签和贡献者

标签: 
 此页面的贡献者: xgqfrms-GitHub
 最后编辑者: xgqfrms-GitHub,