Reputation: 1348
Chrome: ERR_BLOCKED_BY_XSS_AUDITOR details
I'm getting this chrome flag when trying to post and then get a simple form.
The problem is that the Developer Console shows nothing about this and I cannot find the source of the problem by myself.
Is there any option for looking this at more detail? View the piece of code triggering the error for fixing it...
Upvotes: 48
Views: 94104
Answers (8)
Reputation: 9564
Chrome v58 might or might not fix your issue... It really depends to what you're actually POSTing. For example, if you're trying to POST some raw HTML/XML data whithin an input/select/textarea element, your request might still be blocked from the auditor.
In the past few days I hit this issue in two different scenarios: a WYSIWYG client-side editor and an interactive upload form featuring some kind of content preview. I managed to fix them both by base64-encoding the raw HTML before POSTing it, then decoding it on the receiving PHP page. This will most likely fix the issue and, most importantly, increase the developer's awareness level regarding the data coming from POST requests, hopefully pushing him into adopting effective data encoding/decoding strategies and strengthen their web application from XSS-type attacks.
To base64-encode your content on the client side you can either use the native btoa() function, which is supported by most browsers nowadays, or a third-party alternative such as a jQuery plugin (I ended up using this, which worked ok).
To base64-decode the POST data you can then use PHP's base64_decode(str) function, ASP.NET's Convert.FromBase64String(str) or anything else (depending on your server-side scenario).
For further info, check out this blog post that I wrote on the topic.
Upvotes: 26
Reputation: 4168
The simple way for bypass this error in developing is send header to browser
Put the header before send data to browser.
In php you can send this header for bypass this error ,send header reference:
header('X-XSS-Protection:0');
In the ASP.net you can send this header and send header reference:
HttpContext.Response.AddHeader("X-XSS-Protection","0");
or
HttpContext.Current.Response.AddHeader("X-XSS-Protection","0");
In the nodejs send header, send header reference :
res.writeHead(200, {'X-XSS-Protection':0 });
// or express js
res.set('X-XSS-Protection', 0);
Upvotes: 74
Reputation: 5825
I've noticed that if there is an apostrophe ' in the text Chrome will block it.
Upvotes: 2
Reputation: 999
In this case, being a first-time contributor at the Creative forums, (some kind of vBulletin construct) and reduced to posting a PM to the moderators before forum access it is easy for one to encapsulate the nature of the issue from the more popular answers above. The command was
http://forums.creative.com/private.php?do=insertpm&pmid=
And as described above the actual data was "raw HTML/XML data within an input/select/textarea element".
The general requirement for handling such a bug (or feature) at the user end is some kind of quick fixit tweak or twiddle. This post discusses the option of clearing cache, resetting Chrome settings, creating a new_user or retrying the operation with a new beta release. It was also suggested that one launches a new instance with the following:
google-chrome-stable --disable-xss-auditor
The launch actually worked in this W10 1703 Chrome 061 edition after this modified version:
chrome --disable-xss-auditor
However, on logging back in to the site and attempting the post again, the same error was generated. Perhaps the syntax wants refining or something else is awry.
It then seemed reasonable to launched Edge and repost from there, which turned out to be no problem at all.
Upvotes: 5
Reputation: 53
It is a Chrome bug. The only remedy is to use FireFox until they fix this Chrome bug. XSS auditor trashing a page, that has worked fine for 20 years, seems to be a symptom, not a cause.
Upvotes: 0
Reputation: 26274
This may help in some circumstances. Modify Apache httpd.conf file and add
ResponseHeader set X-XSS-Protection 0
It may have been fixed in Version 58.0.3029.110 (64-bit).
Upvotes: 3
Reputation: 1
I solved the problem!
In my case when I make the submmit, I send the HTML to the action and in the model I had a property that accept the HTML with "AllowHTML".
The solution consist in remove this "AllowHTML" property and everything go OK!
Obviously I no longer send the HTML to the action because in my case I do not need it
Upvotes: 0
Reputation: 3422
When I update href from javascript:void(0) to # in the page of POST request, it works.
For example:
<a href="javascript:void(0)" id="loginlink">login</a>
Change to:
<a href="#" id="loginlink">login</a>
Upvotes: 0
Related Questions
- Chrome console error: The Content Security Policy was delivered in report-only mode, but does not specify a 'report-uri'
- chrome 87 : No 'Access-Control-Allow-Origin' header is present on the requested resource
- Violates the following Content Security Policy directive
- Why this error in dev console of chrome when using x-xss-protection?
- How to disable XSS auditor in chrome v60 (09/2017)?
- Preventing ERR_BLOCKED_BY_XSS_AUDITOR in chrome
- Chromium's XSS auditor refused to execute a script
- Content-Security-Policy error?
- How to disable google chrome blocking scripts over https?
- Chrome version 17: Refused to execute a JavaScript script. Source code of script found within request