1 Topic by shawn_a (edited by shawn_a 2012-02-21 14:55:53)

  • From: USA
  • Registered: 2011-09-14
  • Posts: 246
  • Reputation : 2

Topic: FYI Google Chrome 17 issues

FYI, google recently added some XSS filtering to chrome.

When editing pages you might have issues. There seems to be alot of XSS reflection false positives going on.

I get javascript halts if I simply enter an img
<img src="http://domain.com/test.png" />

Console will show
Refused to execute a JavaScript script. Source code of script found within request.

Still investigating.

EDIT:
Only happening in 3.1, i wonder ifs its the new js queueing with the version numbers.

http://groups.google.com/a/chromium.org … &pli=1

Supposedly you can send a header
X-XSS-Protection: 0
I guess ill try that only on edit pages.

Admin Tagging GUI Plugin
TOC / Anchors Plugin
Page Time
Development Suite

shawn_a's Website

  • From: USA
  • Registered: 2011-09-14
  • Posts: 246
  • Reputation : 2

Re: FYI Google Chrome 17 issues

Ok well I cannot for the life of me find where the admin pages send httpd headers at.
So unless I find that, and how to patch it in, ill have to come up with an apache rule to send the header.

You can also start up chrome with this switch, but its disables it for everything.

--disable-xss-auditor

So your shortcut target would look something like this.

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-xss-auditor

I also confirmed that this is new with 3.1, if you remove the querystrings from the javascript urls, its avoids this bug. So that has something to do with these false positives.

Admin Tagging GUI Plugin
TOC / Anchors Plugin
Page Time
Development Suite

shawn_a's Website

3 Reply by shawn_a (edited by shawn_a 2012-02-23 22:58:04)

  • From: USA
  • Registered: 2011-09-14
  • Posts: 246
  • Reputation : 2

Re: FYI Google Chrome 17 issues

I made a plugin for this in case anyone has the same issue.
FYI, this is a webkit filter issue, so it probably affects all webkit browsers.

Plugin Name: sa_xss_off
Version: 1.0
Compatibility: 3.1
Description: Sends header to disable cient based XSS protection
Pages: (edit.php)

Now on extend, Moved to plugins
http://get-simple.info/forum/topic/3433 … ff-plugin/

Admin Tagging GUI Plugin
TOC / Anchors Plugin
Page Time
Development Suite

shawn_a's Website

  • ccagle8
  • ccagle8
  • GetSimple Administrator
  • Offline
  • From: Pittsburgh, PA
  • Registered: 2009-08-06
  • Posts: 1,814
  • Reputation : 15

Re: FYI Google Chrome 17 issues

thanks Shawn!

- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!

ccagle8's Website

  • From: USA
  • Registered: 2011-09-14
  • Posts: 246
  • Reputation : 2

Re: FYI Google Chrome 17 issues

ccagle8 wrote:

thanks Shawn!

Glad you guys added all these wikked plugin hooks.
:)

3.1 is wonderful so far, I have about 20 plugins running on my dev install and no issues at all.

Admin Tagging GUI Plugin
TOC / Anchors Plugin
Page Time
Development Suite

shawn_a's Website