1

We started to get

Refused to execute a JavaScript script. Source code of script found within request.

with version 17 of Chrome. Version 16 was working fine. What it seems to complain about is that we do a POST and the reply is the same what we already have if I understand it correctly. Or is there a way to verify exactly what it complains about?

Refused to execute a JavaScript script. Source code of script found within request

Is there a way to get around this or have anyone had simular problems with the new version 17 of Chrome? We dont do any cross posting on our site, so it kind of looks like a bug from Chrome, but anyhow it needs to be solved.

Community
  • 1
  • 1
Johan Wikström
  • 921
  • 8
  • 18

1 Answers1

1

https://stackoverflow.com/a/1547887/99220 seems applicable. The feature is attempting to detect an XSS attack client-side, and refusing to execute code that looks like it's simply reflecting whatever was stuffed into a POST.

It's certainly possible that the XSS filters are buggy, and detecting your case as a false-positive. It's also possible that you have an actual XSS hole on your site that Chrome is warning you about. Can you post a link so others can take a look? If it is a bug, I'll help you file a ticket at http://new.crbug.com/ If it's not a bug, then we can evaluate how you can fix your site.

Community
  • 1
  • 1
Mike West
  • 5,097
  • 25
  • 26
  • Yes, actually what was the problem was that we had jquery Jtemplates on the site. And those templates are put into hidden textareas. They dont actually contain javascript code but it could be interpreted as such. I changed to put it in a script tag with type="html/text" instead. Jtemplate dont support this but it was easy to change the jquery plugin. – Johan Wikström Feb 21 '12 at 21:36