[vbernat]

Many headers presented here are questionable. X-Frame-Options should be replaced by CSP frame-ancestors. X-XSS-Protection: 1 is the default since a long time for browsers supporting it and Chrome blocks by default since two releases. Referrer-Policy is a matter of choice. It's a useful information for the target site as long as the referrer doesn't contain sensitive information. IMO, most sites shouldn't set this header.

[hdhzy]

> X-XSS-Protection: 1 is the default since a long time for browsers supporting it and Chrome blocks by default since two releases.

Do you have references to back this up?

> Referrer-Policy is a matter of choice. It's a useful information for the target site as long as the referrer doesn't contain sensitive information. IMO, most sites shouldn't set this header.

Exactly. I think its primary use is when the original site's URL contains user supplied input like Google Search page.

[vbernat]

For X-XSS-Protection, see: https://bugs.chromium.org/p/chromium/issues/detail?id=654794. Currently implemented in M57, but you can still disable filtering. This should be removed in the future.

[hdhzy]

Thank you!