X-XSS-Protection header gets set twice - override XssProtection.php
-
20-02-2021 - |
Question
I use magento 2 (version 2.3) and cloudFlare.
There is an error with http headers: X-XSS-Protection header gets set twice because magento add this and then ClouFlare add again. See this post
It's not possible to remove CloudFlare headers, so I would like to remove magento XSS header.
I found the solution editing /vendor/magento/framework/App/Response/HeaderProvider/XssProtection.php: I change
const HEADER_ENABLED = '1; mode=block';
to
const HEADER_ENABLED = '0';
But I don't want editing the core file. I would like to override it. Can you explain me how, please? Thanks
Solution
You need to modify getValue method. Try following way:
app/code/SR/MagentoCommunity/etc/di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="Magento\Framework\App\Response\HeaderProvider\XssProtection">
<plugin name="disable_xssprotection_header"
type="SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider\XssProtection" sortOrder="1"/>
</type>
</config>
app/code/SR/MagentoCommunity/Plugin/Framework/App/Response/HeaderProvider/XssProtection.php
<?php
namespace SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider;
class XssProtection
{
public function aroundGetValue(
\Magento\Framework\App\Response\HeaderProvider\XssProtection $subject,
\Closure $proceed
) {
return 0;
}
}
Another solution:
You can avoid completely this header. In that case, you need to replace the following class.
app/code/SR/MagentoCommunity/Plugin/Framework/App/Response/HeaderProvider/XssProtection.php
<?php
namespace SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider;
class XssProtection
{
public function aroundCanApply(
\Magento\Framework\App\Response\HeaderProvider\XssProtection $subject,
\Closure $proceed
) {
return false;
}
}