Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The XSS Auditor Refused to Execute a Script

DZone's Guide to

The XSS Auditor Refused to Execute a Script

· Web Dev Zone ·
Free Resource

Deploy code to production now. Release to users when ready. Learn how to separate code deployment from user-facing feature releases with LaunchDarkly.

I've been trying to debug a strange issue with a CMS site that has been running for the past six years with no problems. Recently, when I submitted a form that contained HTML content (from CKEditor) to update the page content, the page afterward would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in http://www.somedomain.com/event/action because its source code was found within the request. The auditor was enabled as the server sent neither an X-XSS-Protection or a Content-Security-Policy header.

Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues

It seems that Chrome has cross-site scripting protection that is detecting that the HTML has been submitted and tries to stop any subsequent JavaScript from being executed. The solution turned out to be quite simple: Just add an X-XSS-Protection HTTP header.

<cfheader name="X-XSS-Protection" value="0">

Since this page is in the admin section, which you have to log in to access, I just added this to the top of the layout file with XSS Protection disabled across the whole admin section.


Deploy code to production now. Release to users when ready. Learn how to separate code deployment from user-facing feature releases with LaunchDarkly.

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}