@@ -379,15 +379,27 @@ AddDefaultCharset utf-8
379379# | Reflected Cross-Site Scripting (XSS) attacks |
380380# ------------------------------------------------------------------------------
381381
382- # (1) Enable Cross-Site Scripting (XSS) filter built into the most recent web
383- # browsers (the filter is usually enabled by default, but in some cases it may
384- # be disabled by the user).
385-
382+ # (1) Try to re-enable the Cross-Site Scripting (XSS) filter built into the
383+ # most recent web browsers.
384+ #
385+ # The filter is usually enabled by default, but in some cases it may be
386+ # disabled by the user. However, in IE for example, it can be re-enabled
387+ # just by sending the `X-XSS-Protection` header with the value of `1`.
388+ #
386389# (2) Prevent web browsers from rendering the web page if a potential reflected
387- # (a.k.a non-persistent) XSS attack is detected by the filter (not doing so,
388- # while the fitler is enabled, allows IE's XSS filter to be exploited:
389- # http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/)
390-
390+ # (a.k.a non-persistent) XSS attack is detected by the filter.
391+ #
392+ # By default, if the filter is enabled and browsers detect a reflected
393+ # XSS attack, they will attempt to block the attack by making the smallest
394+ # possible modifications to the returned web page.
395+ #
396+ # Unfortunately, in some browsers (e.g.: IE), this default behavior may
397+ # allow the XSS filter to be exploited, thereby, it's better to tell
398+ # browsers to prevent the rendering of the page altogether, instead of
399+ # attempting to modify it.
400+ #
401+ # http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
402+ #
391403# IMPORTANT: Do not rely on the XSS filter to prevent XSS attacks! Ensure that
392404# you are taking all possible measures to prevent XSS attacks, the most obvious
393405# being: validating and sanitizing your site's inputs.
0 commit comments