MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Memo To Google: Stop Screwing with IE Security!. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Memo To Google: Stop Screwing with IE Security!
by Acidus at 3:58 pm EDT, Oct 7, 2009

I'm not sure how long this has been going on, but Google owned websites are turning off Internet Explorer 8's Cross Site Scripting Filter.

This is unbelievably stupid.

Google websites like FeedBurner and Blogger are including the X-XSS-Protection HTTP header to tell IE8 to disable its reflected XSS detection! See for yourself. Here are the headers for https://www.blogger.com/start:

HTTP/1.1 200 OK
Set-Cookie: [SNIPPED]
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 07 Oct 2009 19:53:41 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Server: GFE/2.0
Transfer-Encoding: chunked

Again, I am shocked at how utterly stupid this is. Google is downgrading the security of its website visitors!

IE's XSS filter is designed to detect reflected XSS attacks that appear in the query string of a Url. This is a Very Good Thing(tm). While there is a remote possibility that HTML markup passed in the query string of a URL could cause the XSS filter to false positive you really should not have web apps whose design allows chunks of markup passed around the applicaiton in user controlled fields.

There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google.

Ping to Rich Canning... [PING]...

RE: Memo To Google: Stop Screwing with IE Security!
by Simon C. Ion at 6:29 pm EDT, Oct 7, 2009

There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google.

Remind me again why J. Random Server Admin (or John Q. Man-in-the-Middle) can remotely disable XSS filtering? What's wrong with the way that NoScript handles this?

RE: Memo To Google: Stop Screwing with IE Security!
by Acidus at 1:08 am EDT, Oct 8, 2009

Simon C. Ion wrote:
There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google.
Remind me again why J. Random Server Admin (or John Q. Man-in-the-Middle) can remotely disable XSS filtering? What's wrong with the way that NoScript handles this?

If John Q. Man-in-the-Middle is playing with you having your XSS filter is the *least& of your worries ;-)

Keep in mind this is an IE only feature, so NoScript will keep on working no problem.

Now that you mention it I'd be interested in seeing a side-by-side comparison of IE8 XSS filtering and NoScripts. I've seen some great IE8 XSS evasion work done by some of the folks on sla.ckers but never a comparison...

RE: Memo To Google: Stop Screwing with IE Security!
by Michael Coates at 11:10 am EDT, Oct 8, 2009

Sadly, IE8 xss filter is overly aggressive. It actually breaks the ability to use google to search for things like < script >. Try intercepting the responses and removing that tag. If you go to google and search for < script >, the first search will work (its a POST). But if you go up to the URL and hit enter (now creating a GET request), IE 8 will detect an XSS attack.

I did some testing on this and put my results here: link

http://michael-coates.blogspot.com/2009/07/ie-8-anti-xss-bit-overblown.html

-Michael

RE: Memo To Google: Stop Screwing with IE Security!
by Simon C. Ion at 1:37 am EDT, Oct 9, 2009

Acidus wrote:
If John Q. Man-in-the-Middle is playing with you having your XSS filter is the *least& of your worries ;-)

No doubt. One of these days, my foot will grow to be too big to fit into my mouth.

Acidus wrote:
Keep in mind this is an IE only feature, so NoScript will keep on working no problem.

Right. That wasn't what I was driving at with my question. Lemmy rephrase it.

a) Why is a server operator- or web publisher-driven "XSS protect off" switch considered -from a security standpoint- superior to a client- (or Domain Administrator)-driven whitelist?
b) If there is simply no reason for anyone to ever use this switch, why does it exist? Shouldn't it be welded in the "Secure" position?

RE: Memo To Google: Stop Screwing with IE Security! by zak at 3:57 pm EDT, Oct 18, 2009
Please forgive my ignorance, but if a site like google can disable this feature, doesn't that mean a malicious web site will be able to disable it too?
Link - Reply