Controlling the XSS Filter

Internet Explorer 8 included a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS Filter. This filter runs by default in the Internet, Trusted, and Restricted security zones. Local Intranet zone pages may opt-in to the protection using the same header:

X-XSS-Protection: 1

If a cross-site scripting attack is detected, Internet Explorer 8 and 9 will attempt to make the smallest possible modification to the returned web page in order to block the attack. Here’s an example. In most cases, the modification is to change one or more characters in the returned page into the hash character (“#”) breaking any script that may have been reflected from the outbound HTTP request.

Pages that have been secured against XSS via server-side logic may opt-out of this protection using a HTTP response header:

X-XSS-Protection: 0

In March of 2010, we added to IE8 support for a new token in the X-XSS-Protection header, mode=block.

X-XSS-Protection: 1; mode=block

When this token is present, if a potential XSS Reflection attack is detected, Internet Explorer will prevent rendering of the page. Instead of attempting to sanitize the page to surgically remove the XSS attack, IE will render only “#”. You can test the XSS Filter’s block mode here.


-Eric Lawrence

Comments (10)
  1. Debbie says:

    So how is Facebook and its games suppose to cross script, as this is a standard on all facebook extenal application, so that you can post this onto your friends feed ??????????????? grrrrrrrrrrrrrrr

  2. @Debbie: Facebook uses various APIs for cross-domain communication. That's different than a cross-site scripting vulnerability.

  3. Michael says:

    So then why does IE keep blocking game postings in exactly the way this article describes? Keeps throwing the ie has blocked cross site scripting message and will not even allow a fix, even when you add both facebook and farmville to your trusted websites

  4. EricLaw [MSFT] says:

    @Michael: The XSS Filter is also enabled for the Trusted Sites zone, and the sites you've mentioned aren't opted-out of the filter.

  5. HP says:

    I have setup  <add name="X-XSS-Protection" value="1; mode=block" /> in web.config. It does not work for me in IE11. thoughts?

  6. @HP: It's entirely unclear what you mean when you say "does not work for me." What exactly doesn't work?

  7. codegeek says:

    @EricLaw : If i am not wrong then I think this is what "HP" is pointing, Even after including "X-XSS-Protection: "1; mode=block" in the config file , the website is still vulnerable to XSS in IE11. I have the same question, I have included the above line in the config file but IE11(even firefox and chrome ) is still vulnerable to XSS. Any thoughts..?

  8. @codegeek: X-XSS-Protection isn't any kind of magic talisman that wards off evil– it has a specific technical function in mitigating XSS attacks.

    Since you haven't provided any information (e.g. URL, repro steps, network traces, etc) that would allow me to reproduce your issue, I'm unlikely to be able to help.

  9. codegeek says:

    @EricLaw : Thanks for the reply. Yeah, now I am able to restrict the XSS, though "partially" after including the header "X-XSS-Protection: 1; mode=block" in the config file.

    I said  "partially", I mean i am able to restrict the <script> tag (If there's any <script> tag in the URL) after including the header suggested by you But its not restricting other HTML tags such as Img etc.

    Do we have to include anything else in the header to restrict the HTML tags in the URL…?

    Any thoughts on this…?

    And more thing, As we have XSS inbuilt in most of the browsers, We are enabling the XSS filter by including the header. Is the above header works for all browser or only specific to some browser..?

  10. XSS is "Cross Site Scripting" — it's not about preventing image tags or things unrelated to script. Not all browsers have a built-in defense to cross-site scripting; the proper approach is to ensure that your web applications do not allow XSS attacks through proper input sanitization.

Comments are closed.

Skip to main content