1729570 – OpenShift Console missing X-XSS-Protection header.

Bug 1729570 - OpenShift Console missing X-XSS-Protection header.

Summary: OpenShift Console missing X-XSS-Protection header.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-apiserver
Sub Component:
Version:	3.11.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.3.0
Assignee:	Stefan Schimanski
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-12 16:28 UTC by Dan Yocum
Modified:	2024-03-25 15:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-07 09:08:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dan Yocum 2019-07-12 16:28:45 UTC

Description of problem:

Customer is reporting that their pentests are failing (low severity) because the X-XSS-Protection header (to prevent cross-site scripting attacks) is missing on the OpenShift console.


Version-Release number of selected component (if applicable):

All 3.x

How reproducible:

Always

Steps to Reproduce:
1. pentest the console using Kali

Actual results:

X-XSS-Protection header test fails


Expected results:

X-XSS-Protection header test succeeds


Additional info:

Comment 4 Samuel Padgett 2019-07-12 17:22:56 UTC

What HTTP response specifically is missing this header? Both the 3.11 and 4.1 web consoles do have it set.

Comment 10 Samuel Padgett 2019-07-25 12:09:01 UTC

This response comes from the API server. Updating the component. The console itself has the header.

Note You need to log in before you can comment on or make changes to this bug.