Aliaspooryorik
ColdFusion ORM Book

The XSS Auditor refused to execute a script

I've just been trying to debug a strange issue with a CMS site that has been running for the past 6 years with no problems. Recently when you submitted the form which contained HTML content (from CKEditor) to update the page content, the page afterwards would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in 'http://www.somedomain.com/event/action' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues

It seems that Chrome has Cross Site Scripting protection now which is detecting that HTML has been submitted and tries to stop any subsequent JavaScript being executed. The solution turned out to be quite simple. Just add an X-XSS-Protection HTTP Header.


<cfheader name="X-XSS-Protection" value="0">

As this page is in the admin which you have to login to access then I just added this to the top of layout file and XSS Protection is disabled across the whole admin.


No comments

Leave a comment

If you found this post useful, interesting or just plain wrong, let me know - I like feedback :)

Please note: If you haven't commented before, then your comments will be moderated before they are displayed.

Please subscribe me to any further comments
 

Search

Wish List

Found something helpful & want to say ’thanks‘? Then visit my Amazon Wish List :)

Categories

Recent Posts