diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc
index 54d066fed..d4c30689a 100644
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@@ -23,6 +23,12 @@ Added
 
 - The qute-pass userscript now has optional OTP support.
 
+Changed
+~~~~~~~
+
+- The `content.xss_auditing` setting is now enabled by default, to mirror
+  Chromium's rather than Qt's default behavior.
+
 Fixed
 ~~~~~
 
diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc
index 75e684ffc..dbb03ef0d 100644
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@@ -2061,13 +2061,13 @@ Default: +pass:[false]+
 [[content.xss_auditing]]
 === content.xss_auditing
 Monitor load requests for cross-site scripting attempts.
-Suspicious scripts will be blocked and reported in the inspector's JavaScript console. Enabling this feature might have an impact on performance.
+Suspicious scripts will be blocked and reported in the inspector's JavaScript console.
 
 This setting supports URL patterns.
 
 Type: <<types,Bool>>
 
-Default: +pass:[false]+
+Default: +pass:[true]+
 
 [[downloads.location.directory]]
 === downloads.location.directory
diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml
index 2698c34b1..e57459f64 100644
--- a/qutebrowser/config/configdata.yml
+++ b/qutebrowser/config/configdata.yml
@@ -729,14 +729,13 @@ content.webrtc_public_interfaces_only:
 
 content.xss_auditing:
   type: Bool
-  default: false
+  default: true
   supports_pattern: true
   desc: >-
     Monitor load requests for cross-site scripting attempts.
 
     Suspicious scripts will be blocked and reported in the inspector's
-    JavaScript console. Enabling this feature might have an impact on
-    performance.
+    JavaScript console.
 
 # emacs: '