ATLAS-5160: Remove deprecated X-XSS-PROTECTION header from HTTP response headers initialization and Atlas Spring Security Config

aditya-gupta36 · aditya-gupta36 · commit 16f465265841 · 2025-12-02T20:00:30.000+05:30
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java b/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java
@@ -35,12 +35,10 @@ public class HeadersUtil {
 
     public static final String X_FRAME_OPTIONS_KEY                 = "X-Frame-Options";
     public static final String X_CONTENT_TYPE_OPTIONS_KEY          = "X-Content-Type-Options";
-    public static final String X_XSS_PROTECTION_KEY                = "X-XSS-Protection";
     public static final String STRICT_TRANSPORT_SEC_KEY            = "Strict-Transport-Security";
     public static final String CONTENT_SEC_POLICY_KEY              = "Content-Security-Policy";
     public static final String X_FRAME_OPTIONS_VAL                 = "DENY";
     public static final String X_CONTENT_TYPE_OPTIONS_VAL          = "nosniff";
-    public static final String X_XSS_PROTECTION_VAL                = "1; mode=block";
     public static final String STRICT_TRANSPORT_SEC_VAL            = "max-age=31536000; includeSubDomains";
     public static final String CONTENT_SEC_POLICY_VAL              = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:";
     public static final String SERVER_KEY                          = "Server";
@@ -79,7 +77,6 @@ public static void initializeHttpResponseHeaders(Properties configuredHeaders) {
 
         HEADER_MAP.put(X_FRAME_OPTIONS_KEY, X_FRAME_OPTIONS_VAL);
         HEADER_MAP.put(X_CONTENT_TYPE_OPTIONS_KEY, X_CONTENT_TYPE_OPTIONS_VAL);
-        HEADER_MAP.put(X_XSS_PROTECTION_KEY, X_XSS_PROTECTION_VAL);
         HEADER_MAP.put(STRICT_TRANSPORT_SEC_KEY, STRICT_TRANSPORT_SEC_VAL);
         HEADER_MAP.put(CONTENT_SEC_POLICY_KEY, CONTENT_SEC_POLICY_VAL);
         HEADER_MAP.put(SERVER_KEY, AtlasConfiguration.HTTP_HEADER_SERVER_VALUE.getString());
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
@@ -195,7 +195,8 @@ protected void configure(HttpSecurity httpSecurity) throws Exception {
         //@formatter:off
         httpSecurity.authorizeRequests().anyRequest().authenticated()
                 .and()
-                .headers()
+                // Why disable() xssProtection -> By default Spring Security automatically adds security headers unless you disable them. No Modern Browsers support and its replaced by "Content-Security-Policy"
+                .headers().xssProtection().disable()
                 .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.getHeaderMap(HeadersUtil.CONTENT_SEC_POLICY_KEY)))
                 .addHeaderWriter(new StaticHeadersWriter(SERVER_KEY, HeadersUtil.getHeaderMap(SERVER_KEY)))
                 .and()
diff --git a/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java b/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java
@@ -93,7 +93,6 @@ public void testDefaultHeadersArePresent() {
 
         assertEquals("DENY", HeadersUtil.getHeaderMap(HeadersUtil.X_FRAME_OPTIONS_KEY));
         assertEquals("nosniff", HeadersUtil.getHeaderMap(HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY));
-        assertEquals("1; mode=block", HeadersUtil.getHeaderMap(HeadersUtil.X_XSS_PROTECTION_KEY));
     }
 
     private Properties createPropertiesWithHeaders(String... headers) {
diff --git a/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java b/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java
@@ -499,6 +499,7 @@ private void setupHttpSecurityMocksFor(HttpSecurity httpSecurity) throws Excepti
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry mockAuthRequests = mock(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.class);
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.AuthorizedUrl mockAuthorizedUrl = mock(ExpressionUrlAuthorizationConfigurer.AuthorizedUrl.class);
         HeadersConfigurer<HttpSecurity> mockHeadersConfigurer = mock(HeadersConfigurer.class);
+        HeadersConfigurer<HttpSecurity>.XXssConfig mockXssConfigurer = mock(HeadersConfigurer.XXssConfig.class);
         ServletApiConfigurer<HttpSecurity> mockServletApiConfigurer = mock(ServletApiConfigurer.class);
         CsrfConfigurer<HttpSecurity> mockCsrfConfigurer = mock(CsrfConfigurer.class);
         SessionManagementConfigurer<HttpSecurity> mockSessionConfigurer = mock(SessionManagementConfigurer.class);
@@ -514,6 +515,8 @@ private void setupHttpSecurityMocksFor(HttpSecurity httpSecurity) throws Excepti
         when(mockAuthRequests.and()).thenReturn(httpSecurity);
 
         when(httpSecurity.headers()).thenReturn(mockHeadersConfigurer);
+        when(mockHeadersConfigurer.xssProtection()).thenReturn(mockXssConfigurer);
+        when(mockXssConfigurer.disable()).thenReturn(mockHeadersConfigurer);
         when(mockHeadersConfigurer.addHeaderWriter(any(StaticHeadersWriter.class))).thenReturn(mockHeadersConfigurer);
         when(mockHeadersConfigurer.and()).thenReturn(httpSecurity);
 
@@ -857,6 +860,7 @@ private void setupHttpSecurityMocks() throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry mockAuthRequests = mock(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.class);
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.AuthorizedUrl mockAuthorizedUrl = mock(ExpressionUrlAuthorizationConfigurer.AuthorizedUrl.class);
         HeadersConfigurer<HttpSecurity> mockHeadersConfigurer = mock(HeadersConfigurer.class);
+        HeadersConfigurer<HttpSecurity>.XXssConfig mockXssConfigurer = mock(HeadersConfigurer.XXssConfig.class);
         ServletApiConfigurer<HttpSecurity> mockServletApiConfigurer = mock(ServletApiConfigurer.class);
         CsrfConfigurer<HttpSecurity> mockCsrfConfigurer = mock(CsrfConfigurer.class);
         SessionManagementConfigurer<HttpSecurity> mockSessionConfigurer = mock(SessionManagementConfigurer.class);
@@ -872,6 +876,8 @@ private void setupHttpSecurityMocks() throws Exception {
         when(mockAuthRequests.and()).thenReturn(mockHttpSecurity);
 
         when(mockHttpSecurity.headers()).thenReturn(mockHeadersConfigurer);
+        when(mockHeadersConfigurer.xssProtection()).thenReturn(mockXssConfigurer);
+        when(mockXssConfigurer.disable()).thenReturn(mockHeadersConfigurer);
         when(mockHeadersConfigurer.addHeaderWriter(any(StaticHeadersWriter.class))).thenReturn(mockHeadersConfigurer);
         when(mockHeadersConfigurer.and()).thenReturn(mockHttpSecurity);
 

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,6 @@ public void testDefaultHeadersArePresent() {`
`93`	`93`
`94`	`94`	`assertEquals("DENY", HeadersUtil.getHeaderMap(HeadersUtil.X_FRAME_OPTIONS_KEY));`
`95`	`95`	`assertEquals("nosniff", HeadersUtil.getHeaderMap(HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY));`
`96`		`- assertEquals("1; mode=block", HeadersUtil.getHeaderMap(HeadersUtil.X_XSS_PROTECTION_KEY));`
`97`	`96`	`}`
`98`	`97`
`99`	`98`	`private Properties createPropertiesWithHeaders(String... headers) {`