IE 8 XSS Filter – Detection and optional fix
While browsing using Internet Explorer 8, I received several times xss filter notice saying: “Internet Explorer has modified this page to help prevent cross-site scripting” resulting an empty page, usually after trying to submit a form.
Although this is a security issue handled by IE in order to protect the user, sometimes it is blocking legit sites trying to do legit operations.
If you are a website owner and you received complains regarding this issue you can check your web site using ACT 5.5 AKA “Microsoft Application Compatibility Toolkit 5.5” which can be downloaded directly from here.
This is the result when using the Internet Explorer Compatibility Test Tool an my example web site:
As you can see the tool allows me to detect what happened and why during my browsing session inside my web site. (The tool also works on remote sites and can be used for solving other compatibility issues as well)
As for my example, I used the one I found on MSDN – here.
Resolution:
1. Fix your code and make sure you don’t perform illegal operations such as cross site scripting.
2. Ask you users to disable the xss filter on their machines (BAD!)
3. Set this response header: “X-XSS-Protection: 0” in order to disable this feature (BAD!)
You can set the response header directly from the web.config by adding this section:
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name=" X-XSS-Protection" value="0" />
</customHeaders>
</httpProtocol>
</system.webServer>
Please make sure you read the MSDN article first so you’ll know exactly what the risks you are taking by doing so.