New version Internet.nl: X-XSS-Protection removed and improvement for no MX domains
X-XSS-Protection test removed
We decided to remove the test for X-XSS-Protection. Most browsers have deprecated support for X-XSS-Protection making it of very limited security value in practice. Furthermore browser implementations can be vulnerable for cross-site leak attacks. We advise website owners to use Content-Security-Policy (CSP) without allowing unsafe-inline scripts instead of X-XSS-Protection.
No MX configured
When no mail server (MX) is configured or when we detect a Null MX record certain tests are not applicable. From now on Internet.nl shows blue informational icons (instead of orange warnings) for these test results and provides more suitable verdict texts. Like before there is no score impact. So it is fine to have no MX configured, as long as you are aware and you still have the relevant standards (like DMARC) in place.
We advise to use "Null MX" (RFC 7505) for a domain without mail servers. In that way a domain clearly announces that it accepts no email. Note that the test does not fall back to A/AAAA records for mail servers in case of absence of an MX record.
About Internet.nl
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. ECP provides for the administrative home of the platform. Open Netlabs / NLnet Labs is responsible for the technical realisation of Internet.nl.
Release notes
-
New:
- Remove test for X-XSS-Protection
- No MX configured: informational status/icons and more suitable category verdict for STARTTLS and DANE
-
Bugfixes:
- Fix breaking bug when the cert chain could not be received
- Fix breaking bug for DANE-TA
- Make sure to pick and test the same mailservers when the number of configured mailservers is greater than the allowed one
- Mailservers without STARTTLS support give wrong verdict
- Make sure only one SMTP connection is active at a time
- Fix IPv6 connectivity for nameservers
- Fix uncaught exception when decrypting HTTPS data
- Fix for connecting to either IPv4 or IPv6 for the mail test