From daf512d755a7c23a426b297ff7a43b57b33048f3 Mon Sep 17 00:00:00 2001
From: lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com>
Date: Thu, 12 Sep 2024 16:10:38 +0200
Subject: [PATCH] SONAR-23029 fix ssf

---
 .../sonar/server/platform/web/SecurityServletFilter.java  | 6 +++---
 .../sonar/server/app/SecurityErrorReportValveTest.java    | 2 +-
 .../server/platform/web/SecurityServletFilterTest.java    | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
index afb7332af2c..ce0687a7011 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -83,11 +83,11 @@ public class SecurityServletFilter implements Filter {
     }
 
     // Cross-site scripting
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+    httpResponse.setHeader("X-XSS-Protection", "0");
 
     // MIME-sniffing
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
     httpResponse.setHeader("X-Content-Type-Options", "nosniff");
   }
 
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
index 338c346eee1..1ab54b7902d 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
@@ -54,7 +54,7 @@ public class SecurityErrorReportValveTest {
     underTest.invoke(request, response);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
   }
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
index 14805dc0ed0..500deeb7e5e 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -99,7 +99,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     assertNull(response.getHeader("Strict-Transport-Security"));
   }
@@ -112,7 +112,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
   }
@@ -124,7 +124,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
   }
 
@@ -138,7 +138,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
   }
 
-- 
2.39.5