Ref #735 - Clean up X-XSS-Protection test (#779)

This removes the test entirely, but results from historic tests are kept and still displayed. Translations are also kept.
internetstandards · Nov 7, 2022 · ff96cd3 · ff96cd3
1 parent 12426af
commit ff96cd3
Show file tree

Hide file tree

Showing 8 changed files with 2 additions and 107 deletions.
diff --git a/checks/categories.py b/checks/categories.py
@@ -177,8 +177,6 @@ def __init__(self, name="web-appsecpriv"):
             WebAppsecprivHttpCsp,
             WebAppsecprivHttpXContentType,
             WebAppsecprivSecuritytxt,
-            # TODO: To be removed in the future.
-            # WebAppsecprivHttpXXss,
         ]
         super(WebAppsecpriv, self).__init__(name, subtests)
 
@@ -2236,29 +2234,6 @@ def result_bad(self, tech_data):
         self.tech_data = tech_data or ""
 
 
-class WebAppsecprivHttpXXss(Subtest):
-    def __init__(self):
-        super(WebAppsecprivHttpXXss, self).__init__(
-            name="http_x_xss",
-            label="detail web appsecpriv http-x-xss label",
-            explanation="detail web appsecpriv http-x-xss exp",
-            tech_string="detail web appsecpriv http-x-xss tech table",
-            worst_status=scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_WORST_STATUS,
-            full_score=scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_GOOD,
-            model_score_field="x_xss_protection_score",
-        )
-
-    def result_good(self, tech_data):
-        self._status(STATUS_SUCCESS)
-        self.verdict = "detail web appsecpriv http-x-xss verdict good"
-        self.tech_data = tech_data
-
-    def result_bad(self, tech_data):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail web appsecpriv http-x-xss verdict bad"
-        self.tech_data = tech_data or ""
-
-
 class WebAppsecprivHttpXContentType(Subtest):
     def __init__(self):
         super(WebAppsecprivHttpXContentType, self).__init__(

diff --git a/checks/models.py b/checks/models.py
@@ -688,6 +688,7 @@ class DomainTestAppsecpriv(BaseTestModel):
     x_frame_options_values = ListField(default=[])
     x_frame_options_score = models.IntegerField(null=True)
 
+    # This check was removed, but we keep the data for legacy records
     x_xss_protection_enabled = models.BooleanField(null=True, default=False)
     x_xss_protection_values = ListField(default=[])
     x_xss_protection_score = models.IntegerField(null=True)
@@ -754,9 +755,6 @@ def get_web_api_details(self):
             "securitytxt_errors": self.securitytxt_errors,
             "securitytxt_recommendations": self.securitytxt_recommendations,
             "securitytxt_found_host": self.securitytxt_found_host,
-            # TODO: to be removed in the future.
-            # 'x_xss_protection_enabled': self.x_xss_protection_enabled,
-            # 'x_xss_protection_values': self.x_xss_protection_values,
         }
 
     class Meta:

diff --git a/checks/scoring.py b/checks/scoring.py
@@ -189,10 +189,6 @@
 WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_BAD = NO_POINTS
 WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_WORST_STATUS = STATUS_NOTICE
 
-WEB_APPSECPRIV_X_XSS_PROTECTION_GOOD = FULL_WEIGHT_POINTS
-WEB_APPSECPRIV_X_XSS_PROTECTION_BAD = FULL_WEIGHT_POINTS  # TODO: XSS to be removed in the future.
-WEB_APPSECPRIV_X_XSS_PROTECTION_WORST_STATUS = STATUS_INFO
-
 WEB_APPSECPRIV_REFERRER_POLICY_GOOD = FULL_WEIGHT_POINTS
 WEB_APPSECPRIV_REFERRER_POLICY_BAD = FULL_WEIGHT_POINTS
 WEB_APPSECPRIV_REFERRER_POLICY_WORST_STATUS = STATUS_NOTICE

diff --git a/checks/tasks/appsecpriv.py b/checks/tasks/appsecpriv.py
@@ -15,7 +15,6 @@
     HeaderCheckerReferrerPolicy,
     HeaderCheckerXContentTypeOptions,
     HeaderCheckerXFrameOptions,
-    HeaderCheckerXXssProtection,
     http_headers_check,
 )
 from checks.tasks.shared import aggregate_subreports, results_per_domain
@@ -116,9 +115,6 @@ def save_results(model, results, addr, domain):
                 model.x_content_type_options_enabled = result.get("x_content_type_options_enabled")
                 model.x_content_type_options_score = result.get("x_content_type_options_score")
                 model.x_content_type_options_values = result.get("x_content_type_options_values")
-                model.x_xss_protection_enabled = result.get("x_xss_protection_enabled")
-                model.x_xss_protection_score = result.get("x_xss_protection_score")
-                model.x_xss_protection_values = result.get("x_xss_protection_values")
                 model.referrer_policy_enabled = result.get("referrer_policy_enabled")
                 model.referrer_policy_score = result.get("referrer_policy_score")
                 model.referrer_policy_values = result.get("referrer_policy_values")
@@ -146,15 +142,6 @@ def build_report(model, category):
         else:
             category.subtests["http_x_frame"].result_bad(model.x_frame_options_values)
 
-        # Do not include XSS in the report.
-        # TODO: Will be removed altogether in the future.
-        # if model.x_xss_protection_enabled:
-        #    category.subtests['http_x_xss'].result_good(
-        #        model.x_xss_protection_values)
-        # else:
-        #    category.subtests['http_x_xss'].result_bad(
-        #        model.x_xss_protection_values)
-
         if model.referrer_policy_enabled:
             category.subtests["http_referrer_policy"].result_good(model.referrer_policy_values)
         else:
@@ -212,7 +199,6 @@ def do_web_appsecpriv(af_ip_pairs, url, task, *args, **kwargs):
             HeaderCheckerContentSecurityPolicy(),
             HeaderCheckerXFrameOptions(),
             HeaderCheckerReferrerPolicy(),
-            HeaderCheckerXXssProtection(),
             HeaderCheckerXContentTypeOptions(),
         ]
         for af_ip_pair in af_ip_pairs:

diff --git a/checks/tasks/http_headers.py b/checks/tasks/http_headers.py
@@ -602,50 +602,6 @@ def get_negative_values(self):
         }
 
 
-class HeaderCheckerXXssProtection(object):
-    """
-    Class for checking the X-Xss-Protection HTTP header.
-
-    """
-
-    def __init__(self):
-        self.name = "X-Xss-Protection"
-
-    def check(self, value, results, domain):
-        """
-        Check if XSS protection is enabled.
-
-        """
-        if not value:
-            score = scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_BAD
-            results["x_xss_protection_score"] = score
-            results["x_xss_protection_enabled"] = False
-        else:
-            values = get_multiple_values_from_header(value)
-            enabled = values[0].split(";")[0]
-            if enabled == "0":
-                score = scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_BAD
-                results["x_xss_protection_score"] = score
-                results["x_xss_protection_enabled"] = False
-            results["x_xss_protection_values"].extend(values)
-
-    def get_positive_values(self):
-        score = scoring.WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_GOOD
-        return {
-            "x_xss_protection_enabled": True,
-            "x_xss_protection_score": score,
-            "x_xss_protection_values": [],
-        }
-
-    def get_negative_values(self):
-        score = scoring.WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_BAD
-        return {
-            "x_xss_protection_enabled": False,
-            "x_xss_protection_score": score,
-            "x_xss_protection_values": [],
-        }
-
-
 class HeaderCheckerReferrerPolicy(object):
     """
     Class for checking the Referrer-Policy HTTP header.

diff --git a/interface/batch/__init__.py b/interface/batch/__init__.py
@@ -310,13 +310,6 @@
                             "type": "test",
                             "translation_key": "web appsecpriv http-x-content",
                         },
-                        # TODO: To be removed in the future.
-                        # {
-                        #    'name': 'web_appsecpriv_x_xss_protection',
-                        #    'name_on_report': 'http_x_xss',
-                        #    'type': 'test',
-                        #    'translation_key': 'web appsecpriv http-x-xss'
-                        # },
                         {
                             "name": "web_appsecpriv_csp",
                             "name_on_report": "http_csp",

diff --git a/interface/batch/openapi.yaml b/interface/batch/openapi.yaml
@@ -807,16 +807,6 @@ components:
             behavior.
           items:
             type: string
-        x_xss_protection_enabled:
-          type: boolean
-          description: If the X-Xss-Protection header is set by the server.
-        x_xss_protection_values:
-          type: array
-          description: >
-            List of headers. Only the first one is evaluated as per browser
-            behavior.
-          items:
-            type: string
         referrer_policy_enabled:
           type: boolean
           description: If the Referrer-Policy header is set by the server.

diff --git a/interface/templates/domain-results.html b/interface/templates/domain-results.html
@@ -71,6 +71,7 @@ <h1>
     </div>
     {% include "details-test-item.html" with testitem=details.http_x_frame %}
     {% include "details-test-item.html" with testitem=details.http_x_content_type %}
+    {# x-XSS shown for historical results only #}
     {% include "details-test-item.html" with testitem=details.http_x_xss %}
     {% include "details-test-item.html" with testitem=details.http_csp %}
     {% include "details-test-item.html" with testitem=details.http_referrer_policy %}