none
XSS filter modifies the page even with "X-XSS-Protection" value="0"

    Question

  • Hello,

    I'm writing a page that posts to a user's Facebook wall. The page works fine in Firefox. In IE8, the XSS filter modifies the page and my post never completes. I've added the tags below to my web.config to prevent this but still have the same result. Have also added a custom header to do the same in IIS and that did not help either. Is there another way to totally turn this filter off aside from asking the user?

     

    Thank you,

    Andrew

     

     

    <

     

    system.webServer>

    <httpProtocol>

    <

     

    customHeaders>

    <

     

    clear />

    <

     

    add name="X-XSS-Protection" value="0" /> <!-- To allow cross site scripting from FB-->

    </

     

    customHeaders>

    </

     

    httpProtocol>


    Andrew Fetchko
    Sunday, November 07, 2010 10:13 PM

Answers

  • It turns out that having external code like a .js file referenced in both the master and content page can cause this error. I have no idea why but removing it from the master and leaving it in the content page removed the XSS Filter error.
    Andrew Fetchko
    • Marked as answer by Andrew.Fetchko Tuesday, November 09, 2010 1:23 PM
    Tuesday, November 09, 2010 1:23 PM

All replies

  • Hi,

    ask the FB developers to add the header to their servers. I don't think so.....

    I thinks there is an asp.net api for FB see developers.facebook.com

    Regards.


    Rob^_^
    Sunday, November 07, 2010 11:59 PM
  • It turns out that having external code like a .js file referenced in both the master and content page can cause this error. I have no idea why but removing it from the master and leaving it in the content page removed the XSS Filter error.
    Andrew Fetchko
    • Marked as answer by Andrew.Fetchko Tuesday, November 09, 2010 1:23 PM
    Tuesday, November 09, 2010 1:23 PM