I have tried to put this:
<meta http-equiv="X-XSS-Protection" content="0">
in the <head>
tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting
The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
0: It disables the X-XSS-Protection. 1: It is the by default directive and enables the X-XSS-Protection. 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it will not render the page.
HttpOnly cookies do not prevent cross-site scripting (XSS) attacks, but they do lessen the impact and prevent the need to sign out users after the XSS is patched.
I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.
In PHP, you'd do it like
header("X-XSS-Protection: 0");
In ASP.net:
Response.AppendHeader("X-XSS-Protection","0")
In Apache's config:
Header set X-XSS-Protection 0
In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With