Using X-XSS-Protection with specific domains?

StackOverflow https://stackoverflow.com/questions/22991434

Question

I'm planning on adding X-XSS-Protection: 0 header in order to allow requests between mydomian.com and mystaticdomain.com. Can this header be used with a specific domain, as in X-Frame-Option/Allow-From?

https://www.keycdn.com/blog/x-xss-protection

Was it helpful?

Solution

No, this header does not allow this.

If you want a secure solution, you should implement CORS which will allow you to specify which domains can access content normally protected by the Same Origin Policy by use of a header:

Access-Control-Allow-Origin: mystaticdomain.com
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top