Internet Explorer cross-site scripting warning
I came across the warning “Internet Explorer has modified this page to help prevent cross-site scripting.” which is triggered by the IE8 security filter.
However, IE gives no clues of why the warning was triggered or what was modified to prevent it. Annoying.
To get some more information you must download Microsoft Application Compatibility Toolkit and run the Internet Explorer Compatibility Test Tool.
More information about this particular issue with XSS is available here.
It is possible to stop this warning from occuring (beside actually fixing the underlying issue) by adding a custom header entry: X-XSS-Protection: 0
Internet Explorer 8 is really good. This browser is very very stable and i have been using it for quite a while without blue screens or crashes.
I have an ajax app that is being broken by this “feature” of IE.
I have tried setting the x-xss-protection header to 0 and verified its in place but it does not disable the stupid feature!
It breaks a request I make to a hidden iframe to generate page content.
anyone had any luck getting legit apps through this feature?
This XSS filter is a real menace. It blocks XSS communication according to a rather crude algorithm. In my opinion, it is set far too strict and blocks perfectly legitimate communications. For example, it looks for suspicious XSS activity and blocks that. It also looks for more than 13 XSS communications within a few minute period of time and blocks that, regardless if it is suspicious or not. This is some kind of brute-force algorithm which kicks in. So, if you are doing any regular communication via XSS – chat, synchronization etc. you are seriously out of luck with IE. IE9 is even worse than IE8 in this regards.
There’s a preferences setting which can turn off the XSS filter, but that does not always work. There are some circumstances where that preference setting is ignored.
I have to agree with the prior poster – XSS filter is a nightmare. We have decided to tell anyone that needs that capability in our web product to use Firefox, Chrome or Safari. This is not something I like to do, and if it weren’t for this XSS filter, I would actually be real excited about recommending IE9.
Scott.