Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The XSS Auditor Refused to Execute a Script

DZone's Guide to

The XSS Auditor Refused to Execute a Script

· Web Dev Zone ·
Free Resource

Jumpstart your Angular applications with Indigo.Design, a unified platform for visual design, UX prototyping, code generation, and app development.

I've been trying to debug a strange issue with a CMS site that has been running for the past six years with no problems. Recently, when I submitted a form that contained HTML content (from CKEditor) to update the page content, the page afterward would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in http://www.somedomain.com/event/action because its source code was found within the request. The auditor was enabled as the server sent neither an X-XSS-Protection or a Content-Security-Policy header.

Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues

It seems that Chrome has cross-site scripting protection that is detecting that the HTML has been submitted and tries to stop any subsequent JavaScript from being executed. The solution turned out to be quite simple: Just add an X-XSS-Protection HTTP header.

<cfheader name="X-XSS-Protection" value="0">

Since this page is in the admin section, which you have to log in to access, I just added this to the top of the layout file with XSS Protection disabled across the whole admin section.


Take a look at an Indigo.Design sample application to learn more about how apps are created with design to code software.

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}