0

We have an ASP.net website, (https://website.example.com) which is loading external libraries (css and javascript) from a different sub-domain name (https://library.example.com)

The resources we are loading via the library project are only css files and javascript plugins, which themselves doesn't make any request (via AJAX).

Testing the website in normal environments, everything works fine.

However, opening it from an Internet Explorer 8 browser, returns an error:

internet explorer has modified this page to prevent cross site scripting

Could the fact that we are referencing external resources cause the error?

If yes, what would be the solution to fix this problem?

I think 90% of the websites downloads references from external domains (like CDN servers) for example.

Catalin
  • 11,503
  • 19
  • 74
  • 147

1 Answers1

1

Here's one way- configure the X-XSS-Protection header on your server. This will tell IE to disable XSS protection on your site.

Looks something like this :

GET / HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 01 Feb 2012 03:42:24 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=6ddbc0a0342e7e63:FF=0:TM=1328067744:LM=1328067744:S=4d4farvCGl5Ww0C3; expires=Fri, 31-Jan-2014 03:42:24 GMT; path=/; domain=.google.com
Set-Cookie: NID=56=PgRwCKa8EltKnHS5clbFuhwyWsd3cPXiV1-iXzgyKsiy5RKXEKbg89gWWpjzYZjLPWTKrCWhOUhdInOlYU56LOb2W7XpC7uBnKAjMbxQSBw1UIprzw2BFK5dnaY7PRji; expires=Thu, 02-Aug-2012 03:42:24 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked

1000

Please read here for more details

Community
  • 1
  • 1
DhruvJoshi
  • 17,041
  • 6
  • 41
  • 60
  • So `X-XSS-Protection: 1; mode=block` enables it and `X-XSS-Protection: 0` disables it? If `X-XSS-Protection: 1` enables it, then why google works, which is loading external references from `https://maps.gstatic.com/` domain? Shouldn't they disable it by setting it to `0` ? – Catalin Feb 04 '14 at 09:12
  • X-XSS-Protection: 0 is for disabling it. By default it is X-XSS-Protection: 1 and you can explicitly set it to enable it. So when it is 1 and IE is the browser, if a cross-site scripting attack is detected, IE 8 and 9 will attempt to make the smallest possible modification to the returned web page in order to block the attack. X-XSS-Protection: 1;mode=block with block the content i.e. prevent rendering of the page – DhruvJoshi Feb 04 '14 at 09:30
  • reference source: http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx – DhruvJoshi Feb 04 '14 at 09:30
  • @RaraituL: Please mark this as answer if you are satisfied. – DhruvJoshi Feb 04 '14 at 09:39
  • Thank you for the links you provided. However, i am still confused. Why google has `X-XSS-Protection: 1; mode=block`, accesses resources from external sub-domains, and at the same time no `cross scripting` error appears? – Catalin Feb 04 '14 at 09:45
  • There is a difference in the implementation of prevention of XSS or Same origin policy between browsers. What is wrong for IE(a stickler in its own world) may be OK for Chrome. See google's reference on SOP/XSS here at https://code.google.com/p/browsersec/wiki/Part2 – DhruvJoshi Feb 04 '14 at 09:54