How to deal with Chrome X-XSS-Protection in a right way?

Question

I run my application in Chrome, it has a error:

Refused to execute script from 'http://example.com/info?no=31&magic=1184' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

From this topic, I know it should to set http header X-XSS-Protection : 0

Refused to execute a JavaScript script. Source code of script found within request

I use RoR to set it as this:

def info
  response.headers['X-XSS-Protection'] = '0'
  # Other logic
end

But the result is,the http header still:

X-XSS-Protection:1; mode=block
X-XSS-Protection:0

When I try it in Firefox, the http header is:

X-XSS-Protection    0, 1; mode=block

And can run perfectly.

Why it has 1; mode=block? How to remove it?

score 1 · Answer 1 · answered May 28 '15 at 08:30

1

This is nothing to do with XSS protection. You need to change the Content-Type HTTP header on http://example.com/info?no=31&magic=1184 from text/html to text/javascript.

answered May 28 '15 at 08:30

guest

11
1

How to deal with Chrome X-XSS-Protection in a right way?

1 Answers1