I've just been trying to debug a strange issue with a CMS site that has been running for the past 6 years with no problems. Recently when you submitted the form which contained HTML content (from CKEditor) to update the page content, the page afterwards would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:
The XSS Auditor refused to execute a script in 'http://www.somedomain.com/event/action' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues
<cfheader name="X-XSS-Protection" value="0">
As this page is in the admin which you have to login to access then I just added this to the top of layout file and XSS Protection is disabled across the whole admin.
- Posted in: