WTFwebdev #1: Disable IE XSS filter with a http header
Where did I experience this?
I was simply adding a redirect to another domain with js to a subsite of a project, just like that:
top.location.href = "http://anotherdomain.tld";
Most of the browsers didn’t have a problem with that but IE came up with the following message:
Internet Explorer has modified this page to prevent a potential cross-site-scripting attack.
The first 20 minutes I didn’t realize this message because it was really unflashy embedded in IE and I just recognized the website behaviour. The website was automatically modified and did nothing. I was confused and started debugging till I finally recognized the log message.
In order to prevent IE8+ from doing XSS protection respond the following header from your webserver/serverside script
This turns off the XSS-filter in IE and the problem should be solved. I was really confused when I came to this problem because I didn’t do an XSS attack but maybe it were the specific circumstances in the project. What do you think about that feature?