Deprecating XSS Reports

A lot has changed in the browser landscape recently and we've seen all of the mainstream browsers move away from running their own XSS Auditor or XSS Filter. Given this shift, it's time for me to update a few things too.



XSS Auditor and XSS Filter

The XSS Filter ran in Microsoft Edge and they recently removed it and Google have also killed off the XSS Auditor in Chrome. Firefox never had a similar feature so now that Chrome and Edge have removed theirs, this feature is no longer supported in the mainstream browsers. The filters/auditors were controlled with the X-Xss-Protection (XXP) header and once the browsers started to abandon it, I deprecated the header in Security Headers so you could achieve an A+ grade without it.



XSS Reporting

Like all good browser Security Headers, the XXP header had a reporting mechanism.


X-Xss-Protection: 1; mode=block; report=https://scotthelme.report-uri.com/r/d/xss/enforce


At Report URI we've been closely watching the volume of XSS reports decline and feel now is the right time to deprecate them.



With that, XSS reports will no longer be processed by Report URI and these reports will be discarded at our upstream edge in Cloudflare Workers. These reports will not count towards your quota and will no longer show in the UI.


Content Security Policy

The Auditor and Filter were helpful in some ways but not helpful in many ways, largely contributing to their demise. If you do want robust protection against XSS then Content Security Policy (CSP) can step in to fill the void with more flexibility, power and of course, reporting.

I have my intro blog on Content Security Policy - An Introduction and we created the CSP Wizard to make it as easy as possible to get started with CSP. We also have a Cloudflare Worker to help set your headers and I have pages of blogs posts on CSP to help. If you're struggling with any feature on Report URI, don't forget to check out our documentation or drop me an email/comment/tweet and I'd be happy to help out!