0

I am facing a wiered issue with Chrome browser. Its an online donation form. User has a choice to contribute different amounts. This form contains few radio buttons along with option to provide other donation amount also. This form works fine in IE and firefox, But not working properly on Chrome. The issue seems to be happening only on a postback. On postback javascript functions "selectAmount" and "selectOtherAmount" functions are not working. Basically on click event of the radio buttons I am calling the above simple js functions. Looks like Chrome is treating this as Cross Site Scripting and blocking.

In chrome debugger shows the following error on Postback.

"The XSS Auditor refused to execute a script in 'myform.aspx?id=12345' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection not 'Content-Security-Policy' header."

here is my code

if (item[0] == "__OTHER__")  
{
    if (selectedValue == "__OTHER__")
    {
        amountLevels.Append("<tr><td><input type=\"radio\" name=\"levelamount-" + donationOption + "\" id=\"rbAmountOther-" + donationOption + "\" value=\"" + defaultOtherAmount.ToString("0.00") + "\" onclick=\"selectOtherAmount(this.value,'" + donationOption + "');\" checked=\"checked\"  /></td>");
    }
    else
    {
        amountLevels.Append("<tr><td><input type=\"radio\" name=\"levelamount-" + donationOption + "\" id=\"rbAmountOther-" + donationOption + "\" value=\"" + defaultOtherAmount.ToString("0.00") + "\" onclick=\"selectOtherAmount(this.value,'" + donationOption + "'); \"  /></td>");
    }
    amountLevels.Append("<td><input type=\"text\" id=\"txtAmountOther\" value=\"" + defaultOtherAmount.ToString("0.00") + "\" " + disabled + " onchange=\"selectOtherAmount(this.value,'" + donationOption + "');\" onkeypress=\"return isValidAmount(event);\" style=\"width:70px;\" />" + item[1] + "</td></tr>");
}
else if (string.Compare(selectedValue, item[0], true) == 0)
{
    amountLevels.Append("<tr><td><input type=\"radio\" id=\"rdbAmount-" + donationOption + index + "\" name=\"levelamount-" + donationOption + "\" value=\"" + amount.ToString("0.00") + "\" checked=\"checked\" onclick=\"selectAmount(this.value,'" + donationOption + "');\"></td><td>&nbsp;&nbsp;" + amountLabel + "</td></tr>");
    selectedAmount = amount.ToString("0.00");
}
else
{
    amountLevels.Append("<tr><td><input type=\"radio\" id=\"rdbAmount-" + donationOption + index + "\" name=\"levelamount-" + donationOption + "\" value=\"" + amount.ToString("0.00") + "\" onclick=\"selectAmount(this.value,'" + donationOption + "');\"></td><td>&nbsp;&nbsp;" + amountLabel + "</td></tr>");
}
Henry
  • 847
  • 6
  • 24
  • 53

1 Answers1

0

This "feature" can be disabled by sending the non-standard HTTP header X-XSS-Protection on the affected page.

X-XSS-Protection: 0

See this post: Refused to execute a JavaScript script. Source code of script found within request

Community
  • 1
  • 1
Mohammad Areeb Siddiqui
  • 9,795
  • 14
  • 71
  • 113
  • This is working fine in IE and FF, happening only on Chrome, do you think its a good idea to disable this protection.As this is a Https site?, if so can you provide me some exapmle how to disable it – Henry Oct 16 '14 at 19:39
  • I was able to set X-XSS-Protection: 0 , and my page is working and it solved my problem. But is it advisable to block protection.My only concern is, Does it pave for cross site scripting – Henry Oct 16 '14 at 20:43
  • X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the "XSS Filter" of IE8, **which prevents some categories of XSS attacks**. IE8 has the filter activated by default, but servers can switch if off by setting. Ofcourse, if you want to prevent the site from XSS attacks, do enable it bit it's your CSP I believe which is not enabling you to do it that way. – Mohammad Areeb Siddiqui Oct 17 '14 at 14:24