This issue was raised long ago in #1770 and ignored. I'm raising it again.

If you look at a few modern discussions:
https://security.stackexchange.com/questions/253924/is-it-better-to-disable-x-xss-protection-header-or-set-the-header-as-x-xss-prote
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header

They both recommend disabling this header by default (i.e., setting it to 0). Can I ask you to revisit this decision and make this recommended change this time?

And when this is done, it should set the header to: x-xss-protection: 0 (rather than simply dropping the header entirely).