Chrome has an XSS auditor. Edge recently removed theirs. The only work around is to stop your page from looking like a reflected XSS attack.
-
-
Yup - looks like this is actually a spec and not just a Chrome thing. You can get around it by using x-`xxs-protection: 0` HTTP Header in the response.
1 reply 0 retweets 0 likes -
Replying to @RickStrahl @chrome
Firefox and Edge do not have an XSS Auditor. There isn't really a "spec" for it. IE still has it?
@ericlaw probably knows. I did forget about the header.2 replies 0 retweets 0 likes -
It seems overly agressive especially since as Eric says the data is posted and the response is restricted. Seems to me this sort of thing shouldn't be handled by the client but the server.
2 replies 0 retweets 0 likes -
Gigabytes have been spilled on this debate. In your particular scenario,Chrome shouldn't be blocking unless the reflected content was literally about to get handed to the script engine.
1 reply 0 retweets 0 likes -
"handed to the script engine". What does the mean? In my case the page is here: https://samples.west-wind.com/StringToCodeConverter/ … It converts the string (including some of the HTML tags and displays it albeit HtmlEncoded). There's also script to copy to clipboard, but is Chrome detecting that? Really?
1 reply 0 retweets 0 likes -
Are you putting code into a query string and rendering it as a <script>?
1 reply 0 retweets 0 likes -
No - code in a form post, then written out with some transformation as HtmlEncoded text. Output should be safely HTML encoded. Page in question is here: https://samples.west-wind.com/StringToCodeConverter/ … (works now because of the header - but without fails in Chrome when Form/input elements are sent).
1 reply 0 retweets 0 likes -
Any chance you have a gist or copy of the code for me to paste and try?
3 replies 0 retweets 0 likes -
Sure. I'll put the site on Github. Give me a minute.
1 reply 0 retweets 1 like
Yeah, if you remove the FORM element and the two OnChange elements, the Auditor doesn't fire. It might be worth filing a bug on Chrome because the View-Source reflection-highlighting doesn't work properly here. I'm not entirely sure why not.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.