From 389438d18b51bd254acd21bf3683407b8bcaa9ce Mon Sep 17 00:00:00 2001
From: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Date: Sun, 8 May 2022 21:11:01 +0200
Subject: [PATCH 1/3] Update X-XSS-Protection to current recommendation

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
---
 core/nginx/conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 4e6919f8..28e19f04 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -117,7 +117,7 @@ http {
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';
-      add_header X-XSS-Protection '1; mode=block';
+      add_header X-XSS-Protection '0';
       add_header Referrer-Policy 'same-origin';
 
       # mozilla autoconfiguration

From f7a3ecee2c1a785226f59b69d2a1ade38bfe290d Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 10 May 2022 22:41:10 +0200
Subject: [PATCH 2/3] remove X-XSS-Protection header from nginx.conf

---
 core/nginx/conf/nginx.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 28e19f04..80ebdaee 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -117,7 +117,6 @@ http {
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';
-      add_header X-XSS-Protection '0';
       add_header Referrer-Policy 'same-origin';
 
       # mozilla autoconfiguration

From 374ee8c6364862e28f4a6668c120fb41e36b3e90 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 10 May 2022 22:47:42 +0200
Subject: [PATCH 3/3] towncrier fragment 2338 about X-XSS-Protection removal

---
 towncrier/newsfragments/2338.misc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/2338.misc

diff --git a/towncrier/newsfragments/2338.misc b/towncrier/newsfragments/2338.misc
new file mode 100644
index 00000000..70d895e0
--- /dev/null
+++ b/towncrier/newsfragments/2338.misc
@@ -0,0 +1 @@
+Don't send the `X-XSS-Protection` http header anymore. 
\ No newline at end of file