WTFwebdev #1: Disable IE XSS filter with a http header

Estimated reading time: 1 minutes ( save for later )

Today I’ve decided to start a blog series about random web development bugs I came across in some of my projects, so here is the first entry which is about the automatic XSS attack protection from IE. The XSS filter was implemented in the early times of IE8 and should have improved IE’s browsing security. Here is how the XSS filter works: IE detects when a site injects javascript to legitimate requests to another website, classifies it as XSS and the best part, IE automatically modifies the site to stop the XSS attack.

Where did I experience this?

I was simply adding a redirect to another domain with js to a subsite of a project, just like that:

top.location.href = "http://anotherdomain.tld";

Most of the browsers didn’t have a problem with that but IE came up with the following message:

Internet Explorer has modified this page to prevent a potential cross-site-scripting attack.

The first 20 minutes I didn’t realize this message because it was really unflashy embedded in IE and I just recognized the website behaviour. The website was automatically modified and did nothing. I was confused and started debugging till I finally recognized the log message.

The solution

In order to prevent IE8+ from doing XSS protection respond the following header from your webserver/serverside script

X-XSS-Protection: 0

This turns off the XSS-filter in IE and the problem should be solved. I was really confused when I came to this problem because I didn’t do an XSS attack but maybe it were the specific circumstances in the project. What do you think about that feature?

Read more…

MSDN Event 1046 – Cross-Site Scripting Filter