There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google.

Remind me again why J. Random Server Admin (or John Q. Man-in-the-Middle) can remotely disable XSS filtering? What's wrong with the way that NoScript handles this?

RE: Memo To Google: Stop Screwing with IE Security!