Create an Account
username: password:
 
  MemeStreams Logo

Memo To Google: Stop Screwing with IE Security!

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Memo To Google: Stop Screwing with IE Security!
Topic: Miscellaneous 3:58 pm EDT, Oct  7, 2009

I'm not sure how long this has been going on, but Google owned websites are turning off Internet Explorer 8's Cross Site Scripting Filter.

This is unbelievably stupid.

Google websites like FeedBurner and Blogger are including the X-XSS-Protection HTTP header to tell IE8 to disable its reflected XSS detection! See for yourself. Here are the headers for https://www.blogger.com/start:

HTTP/1.1 200 OK
Set-Cookie: [SNIPPED]
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 07 Oct 2009 19:53:41 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Server: GFE/2.0
Transfer-Encoding: chunked

Again, I am shocked at how utterly stupid this is. Google is downgrading the security of its website visitors!

IE's XSS filter is designed to detect reflected XSS attacks that appear in the query string of a Url. This is a Very Good Thing(tm). While there is a remote possibility that HTML markup passed in the query string of a URL could cause the XSS filter to false positive you really should not have web apps whose design allows chunks of markup passed around the applicaiton in user controlled fields.

There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google.

Ping to Rich Canning... [PING]...



 
 
Powered By Industrial Memetics
RSS2.0