Disable XSS auditing by default

This follows a similar change in Chromium: https://www.chromium.org/developers/design-documents/xss-auditor https://bugs.chromium.org/p/chromium/issues/detail?id=968591 https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/TCpThW81EAAJ https://www.chromestatus.com/feature/5021976655560704 From the bug: TL:DR Bypasses abound. It prevents some legit sites from working. Once detected, there’s nothing good to do. It introduces cross-site info leaks. Fixing all the info leaks has proven difficult.
2019-09-21 14:23:01 +02:00 · 2019-09-21 14:23:01 +02:00 · 717877596c
parent 7370f61f5a
commit 717877596c
3 changed files with 11 additions and 2 deletions
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@ -48,6 +48,10 @@ Changed
 - Hosts are now additionally looked up including their ports in netrc files.
 - With Qt 5.10 or newer, qutebrowser now doesn't force software rendering with
  Nouveau drivers anymore. However, QtWebEngine/Chromium still do so.
+- The XSS Auditor is now disabled by default (`content.xss_auditing` =
+  `false`). This reflects a similar change in Chromium, see
+  their https://www.chromium.org/developers/design-documents/xss-auditor[XSS
+  Auditor Design Document] for details.

 Fixed
 ~~~~~
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@ -2249,12 +2249,13 @@ Default: +pass:[false]+
 === content.xss_auditing
 Monitor load requests for cross-site scripting attempts.
 Suspicious scripts will be blocked and reported in the inspector's JavaScript console.
+Note that bypasses for the XSS auditor are widely known and it can be abused for cross-site info leaks in some scenarios, see: https://www.chromium.org/developers/design-documents/xss-auditor

 This setting supports URL patterns.

 Type: <<types,Bool>>

-Default: +pass:[true]+
+Default: +pass:[false]+

 [[downloads.location.directory]]
 === downloads.location.directory
--- a/qutebrowser/config/configdata.yml
+++ b/qutebrowser/config/configdata.yml
@ -780,7 +780,7 @@ content.webrtc_ip_handling_policy:

 content.xss_auditing:
  type: Bool
-  default: true
+  default: false
  supports_pattern: true
  desc: >-
    Monitor load requests for cross-site scripting attempts.
@ -788,6 +788,10 @@ content.xss_auditing:
    Suspicious scripts will be blocked and reported in the inspector's
    JavaScript console.

+    Note that bypasses for the XSS auditor are widely known and it can be
+    abused for cross-site info leaks in some scenarios, see:
+    https://www.chromium.org/developers/design-documents/xss-auditor
+
 content.mute:
  default: false
  type: Bool