Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Chrome: ERR_BLOCKED_BY_XSS_AUDITOR details

Tags:

google-chrome

xss

I'm getting this chrome flag when trying to post and then get a simple form.

The problem is that the Developer Console shows nothing about this and I cannot find the source of the problem by myself.

Is there any option for looking this at more detail? View the piece of code triggering the error for fixing it...

like image 868
piraces Avatar asked Apr 06 '17 08:04

piraces

2 Answers

The simple way for bypass this error in developing is send header to browser

Put the header before send data to browser.

In php you can send this header for bypass this error ,send header reference:

header('X-XSS-Protection:0');

In the ASP.net you can send this header and send header reference:

HttpContext.Response.AddHeader("X-XSS-Protection","0"); or  HttpContext.Current.Response.AddHeader("X-XSS-Protection","0");

In the nodejs send header, send header reference :

res.writeHead(200, {'X-XSS-Protection':0 }); // or express js res.set('X-XSS-Protection', 0);
like image 77
A1Gard Avatar answered Oct 16 '22 13:10

A1Gard

Chrome v58 might or might not fix your issue... It really depends to what you're actually POSTing. For example, if you're trying to POST some raw HTML/XML data whithin an input/select/textarea element, your request might still be blocked from the auditor.

In the past few days I hit this issue in two different scenarios: a WYSIWYG client-side editor and an interactive upload form featuring some kind of content preview. I managed to fix them both by base64-encoding the raw HTML before POSTing it, then decoding it on the receiving PHP page. This will most likely fix the issue and, most importantly, increase the developer's awareness level regarding the data coming from POST requests, hopefully pushing him into adopting effective data encoding/decoding strategies and strengthen their web application from XSS-type attacks.

To base64-encode your content on the client side you can either use the native btoa() function, which is supported by most browsers nowadays, or a third-party alternative such as a jQuery plugin (I ended up using this, which worked ok).

To base64-decode the POST data you can then use PHP's base64_decode(str) function, ASP.NET's Convert.FromBase64String(str) or anything else (depending on your server-side scenario).

For further info, check out this blog post that I wrote on the topic.

like image 23
Darkseal Avatar answered Oct 16 '22 14:10

Darkseal
Sign in to Comment

Related questions

How do I undo a Object.defineProperty call?
Google Chrome Developer Tools : Android Debugging returns HTTP/1.1 404 Not Found. Why?
How to enable Auto Logon User Authentication for Google Chrome
Google Chrome - JavaScript version
Having Google Chrome repeat table headers on printed pages
how to print large array fully in chrome console?
Disable Chrome pinch zoom for use in kiosk
@media query not working in mobile. Works fine in Chrome
Network location provider at 'https://www.googleapis.com/' : Returned error code 403 in Webapp
SVGs in Chrome sometimes don't render
Javascript window.print() in chrome, closing new window or tab instead of cancelling print leaves javascript blocked in parent window
Chrome cancels CORS XHR upon HTTP 302 redirect
What to do with chrome sending extra requests?
Unbound breakpoint - VS Code | Chrome | Angular
Are all Google Chrome extensions open source by default?
ES6 modules in local files - The server responded with a non-JavaScript MIME type
Chrome Developer Tools Response/Preview Tab "Pretty Print" or "Formatting"
Problems with jQuery getJSON using local files in Chrome
Network throttling with chrome and selenium
Google Chrome shows gray circle cursor

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!