diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc
index 52234ac0c..9ef91d295 100644
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@@ -48,6 +48,10 @@ Changed
 - Hosts are now additionally looked up including their ports in netrc files.
 - With Qt 5.10 or newer, qutebrowser now doesn't force software rendering with
   Nouveau drivers anymore. However, QtWebEngine/Chromium still do so.
+- The XSS Auditor is now disabled by default (`content.xss_auditing` =
+  `false`). This reflects a similar change in Chromium, see
+  their https://www.chromium.org/developers/design-documents/xss-auditor[XSS
+  Auditor Design Document] for details.
 
 Fixed
 ~~~~~
diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc
index 378aba5ec..fe86b577b 100644
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@@ -2249,12 +2249,13 @@ Default: +pass:[false]+
 === content.xss_auditing
 Monitor load requests for cross-site scripting attempts.
 Suspicious scripts will be blocked and reported in the inspector's JavaScript console.
+Note that bypasses for the XSS auditor are widely known and it can be abused for cross-site info leaks in some scenarios, see: https://www.chromium.org/developers/design-documents/xss-auditor
 
 This setting supports URL patterns.
 
 Type: <<types,Bool>>
 
-Default: +pass:[true]+
+Default: +pass:[false]+
 
 [[downloads.location.directory]]
 === downloads.location.directory
diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml
index 65bc168ad..f48cac189 100644
--- a/qutebrowser/config/configdata.yml
+++ b/qutebrowser/config/configdata.yml
@@ -780,7 +780,7 @@ content.webrtc_ip_handling_policy:
 
 content.xss_auditing:
   type: Bool
-  default: true
+  default: false
   supports_pattern: true
   desc: >-
     Monitor load requests for cross-site scripting attempts.
@@ -788,6 +788,10 @@ content.xss_auditing:
     Suspicious scripts will be blocked and reported in the inspector's
     JavaScript console.
 
+    Note that bypasses for the XSS auditor are widely known and it can be
+    abused for cross-site info leaks in some scenarios, see:
+    https://www.chromium.org/developers/design-documents/xss-auditor
+
 content.mute:
   default: false
   type: Bool