Comment 6 for bug 1463698

> This is why it’s important to always follow the golden rule “Filter input, Escape output”

Fully agree - but I think it's the task of the application that stores data inside Swift. Swift itself is primarily a storage system, and it should not alter blob data by default.

> use the security header for prevention of xss X-XSS-Protection: 1; mode=block

So I looked this up and it seems that this is by default enabled in recent browser, and this header only re-enables it in case a user disabled this on purpose (https://www.owasp.org/index.php/List_of_useful_HTTP_headers; IIRC Firefox uses this also by default).
Adding this header might still be a useful choice in some usecases; so maybe this could be added as a (per-container) configurable option/metadata entry? But in that case it's more an enhancement IMO.