From ef3510fa6db350ad49e7e425262a40e2da7ebee7 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Mon, 27 Jun 2022 15:19:27 -0700
Subject: [PATCH] nginx: Remove legacy X-XSS-Protection header.

Support for this header was removed in Chrome 78, Safari 15.4, and
Edge 17.  It was never supported in Firefox.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 puppet/zulip/files/nginx/zulip-include-common/headers | 1 -
 tools/ci/success-http-headers.template.txt            | 1 -
 2 files changed, 2 deletions(-)

diff --git a/puppet/zulip/files/nginx/zulip-include-common/headers b/puppet/zulip/files/nginx/zulip-include-common/headers
index e684f9500f..70cd3b98f5 100644
--- a/puppet/zulip/files/nginx/zulip-include-common/headers
+++ b/puppet/zulip/files/nginx/zulip-include-common/headers
@@ -5,4 +5,3 @@ add_header Strict-Transport-Security max-age=15768000 always;
 add_header X-Frame-Options DENY always;
 
 add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";
diff --git a/tools/ci/success-http-headers.template.txt b/tools/ci/success-http-headers.template.txt
index 5fc4d8edd0..950d8690c6 100644
--- a/tools/ci/success-http-headers.template.txt
+++ b/tools/ci/success-http-headers.template.txt
@@ -7,7 +7,6 @@ content-language: en
 strict-transport-security: max-age=15768000
 x-frame-options: DENY
 x-content-type-options: nosniff
-x-xss-protection: 1; mode=block
 access-control-allow-origin: *
 access-control-allow-headers: Authorization
 access-control-allow-methods: GET, POST, DELETE, PUT, PATCH, HEAD