I have the following setup: <code>GET /foo</code> - displays a form with a textarea containing markup which posts to <code>/bar</code> <code>POST /bar</code> - generates a <code>ERR_BLOCKED_BY_XSS_AUDITOR</code> error in Chrome (started recently) How can I get around that? I read that I should be able to use the <code>X-XSS-Protection: 0</code> header to get around this, but should I send that as a request header or a response header? On the <code>/foo</code> URL or the <code>/bar</code> one?

You must send response header on the server side. For example Node.js with Express <pre class="prettyprint"><code>res.header('X-XSS-Protection' , 0 ); </code></pre> Or for PHP <pre class="prettyprint"><code>header("X-XSS-Protection: 0"); </code></pre>

Preventing ERR_BLOCKED_BY_XSS_AUDITOR in chrome

Tags:

http

google-chrome

xss

I have the following setup:

GET /foo - displays a form with a textarea containing markup which posts to /bar

POST /bar - generates a ERR_BLOCKED_BY_XSS_AUDITOR error in Chrome (started recently)

How can I get around that? I read that I should be able to use the X-XSS-Protection: 0 header to get around this, but should I send that as a request header or a response header? On the /foo URL or the /bar one?