Share via

Controlling the XSS Filter

  • Article

Internet Explorer 8 included a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS Filter. This filter runs by default in the Internet, Trusted, and Restricted security zones. Local Intranet zone pages may opt-in to the protection using the same header:

X-XSS-Protection: 1

If a cross-site scripting attack is detected, Internet Explorer 8 and 9 will attempt to make the smallest possible modification to the returned web page in order to block the attack. Here’s an example. In most cases, the modification is to change one or more characters in the returned page into the hash character (“#”) breaking any script that may have been reflected from the outbound HTTP request.

Pages that have been secured against XSS via server-side logic may opt-out of this protection using a HTTP response header:

X-XSS-Protection: 0

In March of 2010, we added to IE8 support for a new token in the X-XSS-Protection header, mode=block.

X-XSS-Protection: 1; mode=block

When this token is present, if a potential XSS Reflection attack is detected, Internet Explorer will prevent rendering of the page. Instead of attempting to sanitize the page to surgically remove the XSS attack, IE will render only “#”. You can test the XSS Filter’s block mode here.

image

-Eric Lawrence

Comments

  • Anonymous
    February 17, 2011
    So how is Facebook and its games suppose to cross script, as this is a standard on all facebook extenal application, so that you can post this onto your friends feed ??????????????? grrrrrrrrrrrrrrr

  • Anonymous
    February 17, 2011
    @Debbie: Facebook uses various APIs for cross-domain communication. That's different than a cross-site scripting vulnerability.

  • Anonymous
    March 02, 2011
    So then why does IE keep blocking game postings in exactly the way this article describes? Keeps throwing the ie has blocked cross site scripting message and will not even allow a fix, even when you add both facebook and farmville to your trusted websites

  • Anonymous
    March 02, 2011
    @Michael: The XSS Filter is also enabled for the Trusted Sites zone, and the sites you've mentioned aren't opted-out of the filter.

  • Anonymous
    November 07, 2014
    I have setup  <add name="X-XSS-Protection" value="1; mode=block" /> in web.config. It does not work for me in IE11. thoughts?

  • Anonymous
    November 07, 2014
    @HP: It's entirely unclear what you mean when you say "does not work for me." What exactly doesn't work?

  • Anonymous
    December 08, 2014
    The comment has been removed

  • Anonymous
    December 10, 2014
    The comment has been removed

  • Anonymous
    December 10, 2014
    @EricLaw : Thanks for the reply. Yeah, now I am able to restrict the XSS, though "partially" after including the header "X-XSS-Protection: 1; mode=block" in the config file. I said  "partially", I mean i am able to restrict the <script> tag (If there's any <script> tag in the URL) after including the header suggested by you But its not restricting other HTML tags such as Img etc. Do we have to include anything else in the header to restrict the HTML tags in the URL...? Any thoughts on this...? And more thing, As we have XSS inbuilt in most of the browsers, We are enabling the XSS filter by including the header. Is the above header works for all browser or only specific to some browser..?

  • Anonymous
    December 11, 2014
    XSS is "Cross Site Scripting" -- it's not about preventing image tags or things unrelated to script. Not all browsers have a built-in defense to cross-site scripting; the proper approach is to ensure that your web applications do not allow XSS attacks through proper input sanitization.