Comments

[gravatar]
Nate 10:55 PM on 12 Jan 2010

Wow, that stackoverflow discussion is crazy. Really looks like the XSS filter thing is terrible. I'm glad you pointed it out, it's likely we could get hit by that too. They seem to indicate that you can just disable it with that X-XSS-Protection flag set to 0, since you're in control of the third party site (hp). I take it that's not a viable solution? (Sounds like something to which the bosses wouldn't take kindly)

[gravatar]
Ned Batchelder 9:00 AM on 13 Jan 2010

The good news is the third-party site is the one that can set the X-XSS-Protection header. I had initially thought the third-party site was the untrusted one, so why would they be allowed to disable the filter? But it works.

[gravatar]
David Ross 7:20 PM on 13 Jan 2010

Ned, I work on the IE XSS Filter at Microsoft. Hopefully I can help you work through any issues you may have.

For reference, here are some articles on the filter that describe our goals, design philosophy, and architecture:
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
http://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx
http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx

If you'd like to get in contact with me but are unable to see the email address associated with this post, please drop me a note here:
http://blogs.msdn.com/dross/contact.aspx

It looks like you may already be in good shape with the header and I see EricLaw responded on StackOverflow. Please let me know if you have any further issues/questions/feedback though, I'd be happy to chat.

Add a comment:

name
email
Ignore this:
not displayed and no spam.
Leave this empty:
www
not searched.
 
Name and either email or www are required.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.