Preventing ERR_BLOCKED_BY_XSS_AUDITOR in chrome

Question

I have the following setup:

GET /foo - displays a form with a textarea containing markup which posts to /bar

POST /bar - generates a ERR_BLOCKED_BY_XSS_AUDITOR error in Chrome (started recently)

How can I get around that? I read that I should be able to use the X-XSS-Protection: 0 header to get around this, but should I send that as a request header or a response header? On the /foo URL or the /bar one?

Answer 1

You must send response header on the server side. For example Node.js with Express

res.header('X-XSS-Protection' , 0 );

Or for PHP

header("X-XSS-Protection: 0");