5

On Chrome I'm getting an error Refused to execute a JavaScript script. Source code of script found within request. after posting data that contains the name of the domain (also note the lack of javascript on either page) .

badpage1.html:

<form action="/badpage2.html" method="post">
<input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/>
<input type="submit" name="submit"/>
</form>

badpage2.html:

<!DOCTYPE html>
<html>
    <head>
        <base href="http://www.w3.org/"/>
    </head>
    <body>
        <img src="Icons/w3c_home" alt="">
    </body>
</html>

If you go directly to badpage2.html the image will show, but if you go to it via badpage1.html, the image will not show (base tag doesn't work).

Is this a bug in Chrome XSS detection? And if it's not, how would I bypass this? It seems silly to encode the posted data just to bypass this filter.

EDIT:

In my case, the post value sent is to update part of the content of the page. The problem comes if it contains happens to contain the domain name that is used in the <base> (as this example does) it will trigger the XSS detection which disables the <base> tag.

Kendall Hopkins
  • 43,213
  • 17
  • 66
  • 89
  • More on this here - http://stackoverflow.com/questions/1547884/refused-to-execute-a-javascript-script-source-code-of-script-found-within-reque – simshaun Feb 24 '12 at 00:20
  • @simshaun I saw that, but in this case XSS is *intended* (since it's a CMS editor). Is there a header the server can send or something to tell Chrome to disable these types of checks? – Kendall Hopkins Feb 24 '12 at 00:26
  • The only thing I can find is http://lwn.net/Articles/360424/, which points to some [bugs](https://bugs.webkit.org/buglist.cgi?keywords=XSSAuditor&resolution=---) in the filter. Guess the filter works on more than just scripts though, so that error message is confusing. The real problem is setting the base href to an external domain. AFAIK, this violates most browsers' security model. Not sure if there is a reliable workound for it, and even if so, probably not a good idea (in my opinion). Can you not pre-process the page to put the full URL in any relative src or href attributes? – simshaun Feb 24 '12 at 00:39

1 Answers1

3

I found out that I can send the custom HTTP header X-XSS-Protection on the page that is being messed up due to the protection.

I use the below code for my PHP solution:

header( "X-XSS-Protection: 0" );
Kendall Hopkins
  • 43,213
  • 17
  • 66
  • 89