Over a million developers have joined DZone.

The XSS Auditor Refused to Execute a Script

· Web Dev Zone

Start coding today to experience the powerful engine that drives data application’s development, brought to you in partnership with Qlik.

I've been trying to debug a strange issue with a CMS site that has been running for the past six years with no problems. Recently, when I submitted a form that contained HTML content (from CKEditor) to update the page content, the page afterward would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in http://www.somedomain.com/event/action because its source code was found within the request. The auditor was enabled as the server sent neither an X-XSS-Protection or a Content-Security-Policy header.

Which lead me to this post on Stack Overflow: http://stackoverflow.com/questions/17016960/google-chromes-xss-auditor-causing-issues

It seems that Chrome has cross-site scripting protection that is detecting that the HTML has been submitted and tries to stop any subsequent JavaScript from being executed. The solution turned out to be quite simple: Just add an X-XSS-Protection HTTP header.

<cfheader name="X-XSS-Protection" value="0">

Since this page is in the admin section, which you have to log in to access, I just added this to the top of the layout file with XSS Protection disabled across the whole admin section.

Create data driven applications in Qlik’s free and easy to use coding environment, brought to you in partnership with Qlik.


Published at DZone with permission of John Whish, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}