j-zhang
Reputation: 703
How to deal with Chrome X-XSS-Protection in a right way?
I run my application in Chrome, it has a error:
Refused to execute script from 'http://example.com/info?no=31&magic=1184' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
From this topic, I know it should to set http header X-XSS-Protection : 0
Refused to execute a JavaScript script. Source code of script found within request
I use RoR to set it as this:
def info
response.headers['X-XSS-Protection'] = '0'
# Other logic
end
But the result is,the http header still:
X-XSS-Protection:1; mode=block
X-XSS-Protection:0
When I try it in Firefox, the http header is:
X-XSS-Protection 0, 1; mode=block
And can run perfectly.
Why it has 1; mode=block? How to remove it?
Upvotes: 1
Views: 3256
Answers (1)
guest
Reputation: 11
This is nothing to do with XSS protection. You need to change the Content-Type HTTP header on http://example.com/info?no=31&magic=1184 from text/html to text/javascript.
Upvotes: 1
Related Questions
- How to prevent XSS attacks in api mode of Rails?
- resolve XSS issue on ruby on rails
- Sanitize output in Rails
- Sanitizing URL to prevent XSS in Rails
- Storing generated HTML and preventing XSS attacks in Rails 3
- How to sanitize "inline javascript" in ruby on rails?
- Sanitize input XSS and HTML input in rails
- Protecting from XSS in escape_javascript() output in Rails
- Sanitizing CSS in Rails
- Ruby on Rails and XSS prevention