I've been trying to debug a strange issue with a CMS site that has been running for the past six years with no problems. Recently, when I submitted a form that contained HTML content (from CKEditor) to update the page content, the page afterward would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:
The XSS Auditor refused to execute a script in http://www.somedomain.com/event/action because its source code was found within the request. The auditor was enabled as the server sent neither an X-XSS-Protection or a Content-Security-Policy header.
Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues
<cfheader name="X-XSS-Protection" value="0">
Since this page is in the admin section, which you have to log in to access, I just added this to the top of the layout file with XSS Protection disabled across the whole admin section.