From a72eee8e39b6d982d936cad999d9f50cd20dc5ce Mon Sep 17 00:00:00 2001
From: Florian Bruhin <git@the-compiler.org>
Date: Tue, 17 Jul 2018 12:01:17 +0200
Subject: [PATCH] Enable XSS auditing by default

Qt disables this by default, but Chromium does have it enabled.

I also submitted a change to Qt to hopefully enable it by default there
starting with Qt 5.12: https://codereview.qt-project.org/#/c/198354/15

This also removes the claim of having a (big) performance impact, as Chromium's
XSS design doc says the opposite:
https://www.chromium.org/developers/design-documents/xss-auditor
---
 doc/changelog.asciidoc            | 6 ++++++
 doc/help/settings.asciidoc        | 4 ++--
 qutebrowser/config/configdata.yml | 5 ++---
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc
index 54d066fed..d4c30689a 100644
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@@ -23,6 +23,12 @@ Added
 
 - The qute-pass userscript now has optional OTP support.
 
+Changed
+~~~~~~~
+
+- The `content.xss_auditing` setting is now enabled by default, to mirror
+  Chromium's rather than Qt's default behavior.
+
 Fixed
 ~~~~~
 
diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc
index 75e684ffc..dbb03ef0d 100644
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@@ -2061,13 +2061,13 @@ Default: +pass:[false]+
 [[content.xss_auditing]]
 === content.xss_auditing
 Monitor load requests for cross-site scripting attempts.
-Suspicious scripts will be blocked and reported in the inspector's JavaScript console. Enabling this feature might have an impact on performance.
+Suspicious scripts will be blocked and reported in the inspector's JavaScript console.
 
 This setting supports URL patterns.
 
 Type: <<types,Bool>>
 
-Default: +pass:[false]+
+Default: +pass:[true]+
 
 [[downloads.location.directory]]
 === downloads.location.directory
diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml
index 2698c34b1..e57459f64 100644
--- a/qutebrowser/config/configdata.yml
+++ b/qutebrowser/config/configdata.yml
@@ -729,14 +729,13 @@ content.webrtc_public_interfaces_only:
 
 content.xss_auditing:
   type: Bool
-  default: false
+  default: true
   supports_pattern: true
   desc: >-
     Monitor load requests for cross-site scripting attempts.
 
     Suspicious scripts will be blocked and reported in the inspector's
-    JavaScript console. Enabling this feature might have an impact on
-    performance.
+    JavaScript console.
 
 # emacs: '