[philiptellis] /bb|[^b]{2}/
Never stop Grokking

Friday, March 18, 2011


Internet Explorer 8 has a "useful" feature where it tries to detect if a page is under an XSS attack. If it thinks it has detected an attack, it will disable the malicious code and warn the user about it. Sound good on the surface of it, except that it's often wrong, often with ads. In most cases with security issues, it's better to err on the side of caution, but what happens here is that IE ends up warning your users about non-existent security issues on your site. Users lose trust in your site and everyone loses.

If you already take proactive steps to protect your users from XSS attacks, you SHOULD disable the check and warning. To do this, add the following HTTP header to all your responses:
X-XSS-Protection: 0
How you do that depends on the server you're using. For apache, you'd add this to one of your apache conf files:
Header add X-XSS-Protection 0


May 18, 2011 10:34 PM

Cool, good to know...for my malicious proxy, muhahah.

Post a Comment