FYI Google Chrome 17 issues

[shawn_a]

FYI, google recently added some XSS filtering to chrome.

When editing pages you might have issues. There seems to be alot of XSS reflection false positives going on.

I get javascript halts if I simply enter an img
<img src="http://domain.com/test.png" />

Console will show
Refused to execute a JavaScript script. Source code of script found within request.

Still investigating.

EDIT:
Only happening in 3.1, i wonder ifs its the new js queueing with the version numbers.

http://groups.google.com/a/chromium.org/...raot&pli=1

Supposedly you can send a header
X-XSS-Protection: 0
I guess ill try that only on edit pages.

[shawn_a]

Ok well I cannot for the life of me find where the admin pages send httpd headers at.
So unless I find that, and how to patch it in, ill have to come up with an apache rule to send the header.

You can also start up chrome with this switch, but its disables it for everything.

Code:

--disable-xss-auditor

So your shortcut target would look something like this.

Code:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-xss-auditor

I also confirmed that this is new with 3.1, if you remove the querystrings from the javascript urls, its avoids this bug. So that has something to do with these false positives.

[shawn_a]

I made a plugin for this in case anyone has the same issue.
FYI, this is a webkit filter issue, so it probably affects all webkit browsers.

Plugin Name: sa_xss_off
Version: 1.0
Compatibility: 3.1
Description: Sends header to disable cient based XSS protection
Pages: (edit.php)

Now on extend, Moved to plugins
http://get-simple.info/forum/topic/3433/...ff-plugin/

[ccagle8]

thanks Shawn!

[shawn_a]

thanks Shawn!

Glad you guys added all these wikked plugin hooks.


3.1 is wonderful so far, I have about 20 plugins running on my dev install and no issues at all.