2

Is there a method by which we can detect if a user using ie8 has the XSS filter enabled?

As far as I can tell, nothing changes in the User Agent or in the http headers when ie8 has the XSS filter enabled vs when it does not. That leaves some client-side detection of the use of the filter. Would it be possible to write a test page that will tell me if the filter is active?

Bernard Chen
  • 6,437
  • 5
  • 23
  • 27
  • There's no clientside method to detect whether the XSS filter is enabled. You could, of course, simulate an XSS attack to detect it, but that would show UI to the user. Of course, the real question is why you'd want to do that; if your hope is to opt-out, use X-XSS-Protection. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx – EricLaw May 03 '11 at 04:34

1 Answers1

3

I know of no way to tell. IE fails to throw an error when it blocks the communications and Ie has no way to check what settings (or what security zone) IE has from javascript. So, you have no idea what is going on. This XSS filter is a menace.

Scott.

scott schmitz
  • 31
  • 2