Comments on: Internet Explorer cross-site scripting warning http://www.stpe.se/2009/04/internet-explorer-cross-site-scripting-warning/ Not a blog, more a log. Mon, 06 Feb 2012 12:08:58 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: scott schmitz http://www.stpe.se/2009/04/internet-explorer-cross-site-scripting-warning/comment-page-1/#comment-6357 scott schmitz Tue, 03 May 2011 01:32:51 +0000 http://www.stpe.se/?p=116#comment-6357 This XSS filter is a real menace. It blocks XSS communication according to a rather crude algorithm. In my opinion, it is set far too strict and blocks perfectly legitimate communications. For example, it looks for suspicious XSS activity and blocks that. It also looks for more than 13 XSS communications within a few minute period of time and blocks that, regardless if it is suspicious or not. This is some kind of brute-force algorithm which kicks in. So, if you are doing any regular communication via XSS - chat, synchronization etc. you are seriously out of luck with IE. IE9 is even worse than IE8 in this regards. There's a preferences setting which can turn off the XSS filter, but that does not always work. There are some circumstances where that preference setting is ignored. I have to agree with the prior poster - XSS filter is a nightmare. We have decided to tell anyone that needs that capability in our web product to use Firefox, Chrome or Safari. This is not something I like to do, and if it weren't for this XSS filter, I would actually be real excited about recommending IE9. Scott. This XSS filter is a real menace. It blocks XSS communication according to a rather crude algorithm. In my opinion, it is set far too strict and blocks perfectly legitimate communications. For example, it looks for suspicious XSS activity and blocks that. It also looks for more than 13 XSS communications within a few minute period of time and blocks that, regardless if it is suspicious or not. This is some kind of brute-force algorithm which kicks in. So, if you are doing any regular communication via XSS – chat, synchronization etc. you are seriously out of luck with IE. IE9 is even worse than IE8 in this regards.

There’s a preferences setting which can turn off the XSS filter, but that does not always work. There are some circumstances where that preference setting is ignored.

I have to agree with the prior poster – XSS filter is a nightmare. We have decided to tell anyone that needs that capability in our web product to use Firefox, Chrome or Safari. This is not something I like to do, and if it weren’t for this XSS filter, I would actually be real excited about recommending IE9.

Scott.

]]> By: Dan http://www.stpe.se/2009/04/internet-explorer-cross-site-scripting-warning/comment-page-1/#comment-6161 Dan Wed, 13 Jan 2010 17:56:56 +0000 http://www.stpe.se/?p=116#comment-6161 I have an ajax app that is being broken by this "feature" of IE. I have tried setting the x-xss-protection header to 0 and verified its in place but it does not disable the stupid feature! It breaks a request I make to a hidden iframe to generate page content. anyone had any luck getting legit apps through this feature? I have an ajax app that is being broken by this “feature” of IE.

I have tried setting the x-xss-protection header to 0 and verified its in place but it does not disable the stupid feature!

It breaks a request I make to a hidden iframe to generate page content.

anyone had any luck getting legit apps through this feature?

]]> By: Marlon http://www.stpe.se/2009/04/internet-explorer-cross-site-scripting-warning/comment-page-1/#comment-6154 Marlon Sun, 10 Jan 2010 05:58:57 +0000 http://www.stpe.se/?p=116#comment-6154 Internet Explorer 8 is really good. This browser is very very stable and i have been using it for quite a while without blue screens or crashes. Internet Explorer 8 is really good. This browser is very very stable and i have been using it for quite a while without blue screens or crashes.

]]>