Is X-XSS-Protection Worth Checking? #74
Description
The website https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection says the following
_Non-standard: This feature is not standardized. We do not recommend using non-standard features in production, as they have limited browser support, and may change or be removed. However, they can be a suitable alternative in specific cases where no standard option exists.
Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.
Warning: Even though this feature can protect users of older web browsers that don't support CSP, in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites. See the Security considerations section below for more information._
It is enough to check Content-Security-Policy.
Isn't it worth removing the X-XSS-Protection check by default and, for example, making a separate setting to enable it if desired in the full setting?
As far as I know, in the same Screaming Frog, the check is carried out on Content-Security-Policy, and X-XSS-Protection is ignored