- Nov 5, 2011
- 5,855
.
Controlling the XSS Filter read: by Eric Lawrence, in EricLaw's IEInternals MSDN blog: http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
Quote:
'Internet Explorer 8 included a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS Filter. This filter runs by default in the Internet, Trusted, and Restricted security zones.'
'If a cross-site scripting attack is detected, Internet Explorer 8 and 9' (and IE10 also, surely ..) 'will attempt to make the smallest possible modification to the returned web page in order to block the attack.'
'In March of 2010, we added to IE8 support for a new token in the X-XSS-Protection header, mode=block.'
'When this token is present, if a potential XSS Reflection attack is detected, Internet Explorer will prevent rendering of the page. Instead of attempting to sanitize the page to surgically remove the XSS attack, IE will render only “#”. You can test the XSS Filter’s block mode here':
XSS TEST Page: http://www.enhanceie.com/test/xss/BlockMode.asp
.
Controlling the XSS Filter read: by Eric Lawrence, in EricLaw's IEInternals MSDN blog: http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
Quote:
'Internet Explorer 8 included a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS Filter. This filter runs by default in the Internet, Trusted, and Restricted security zones.'
'If a cross-site scripting attack is detected, Internet Explorer 8 and 9' (and IE10 also, surely ..) 'will attempt to make the smallest possible modification to the returned web page in order to block the attack.'
'In March of 2010, we added to IE8 support for a new token in the X-XSS-Protection header, mode=block.'
'When this token is present, if a potential XSS Reflection attack is detected, Internet Explorer will prevent rendering of the page. Instead of attempting to sanitize the page to surgically remove the XSS attack, IE will render only “#”. You can test the XSS Filter’s block mode here':
XSS TEST Page: http://www.enhanceie.com/test/xss/BlockMode.asp
.