Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The XSS Auditor Refused to Execute a Script

DZone's Guide to

The XSS Auditor Refused to Execute a Script

· Web Dev Zone
Free Resource

Add user login and MFA to your next project in minutes. Create a free Okta developer account, drop in one of our SDKs to your application and get back to building.

I've been trying to debug a strange issue with a CMS site that has been running for the past six years with no problems. Recently, when I submitted a form that contained HTML content (from CKEditor) to update the page content, the page afterward would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in http://www.somedomain.com/event/action because its source code was found within the request. The auditor was enabled as the server sent neither an X-XSS-Protection or a Content-Security-Policy header.

Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues

It seems that Chrome has cross-site scripting protection that is detecting that the HTML has been submitted and tries to stop any subsequent JavaScript from being executed. The solution turned out to be quite simple: Just add an X-XSS-Protection HTTP header.

<cfheader name="X-XSS-Protection" value="0">

Since this page is in the admin section, which you have to log in to access, I just added this to the top of the layout file with XSS Protection disabled across the whole admin section.


Launch your application faster with Okta’s user management API. Register today for the free forever developer edition!

Topics:

Published at DZone with permission of John Whish, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}