One may probably suggest setting this header for all responses from a web server (I am thinking of value="1; mode=block").
However, does it make sense to set it when serving, say, images? CSS files? JSON responses made from AJAX calls?
Does XSS Auditor care about presence of this header when processing these responses?
If you decide to use X-XSS-Protection, you should set it for any page capable of running active script content. Non-executable formats like CSS or images are not affected by the header.
Note that SVG images, despite being able to run script code, apparently don't respect the header in Chrome which suggests that it is only applied to HTML documents. Proof of concept:
<?php
header('X-XSS-Protection: 1; mode=block');
header('Content-type: image/svg+xml');
?>
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg">
<?php echo $_GET['foo']; ?>
</svg>
Run it in your browser like this:http://localhost/xss.php?foo=<script>alert(1)</script>
In my tests, the reflected JS from the parameter is executed although the XSS filter is active. But if you change the content-type to text/html, the JS will be properly filtered.
(Also note that the use of the X-XSS-Protection header is controversial and can result in new vulnerabilities which is why Facebook even decided to deactivate the XSS auditor entirely. And be aware that setting the header doesn't replace proper output escaping.)
This header makes sense for any page that is able to execute Javascript. This includes HTML files, and maybe SVG and XML, but not Javascript files or JSON responses, because these do not get executed by the browser just by visiting them.
