Chromium's XSS auditor refused to execute a script

MountainMan picture MountainMan · Jun 10, 2013 · Viewed 44.2k times · Source

This is a message from the Chrome Inspector:

The XSS Auditor refused to execute a script in http://localhost/Disposable Working NOTAS.php because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

... I have a couple dozen websites sitting on localhost on my notebook which I use for a big part of my workflow, and in the last couple days, after an updated Chrome changed something, pretty much all the websites' textareas' content is not being saved to file anymore.

The code which was saving edits I made, is uniformly broken; I enter new text, click on save and my browser, instead of executing the file~writing subroutines in the script for the webpage I am working in, simply opens a new blank page. If I then hit the back button, the textarea still shows the freshly added content, but in the file, no changes are being appended.

Answer

icktoofay picture icktoofay · Jun 10, 2013

If you'd like to tell Chrome to disable its XSS protection, you can send an X-XSS-Protection header with a value of 0. Since you appear to be using PHP, you'd add this somewhere where it'll always be executed before any content has been output:

header("X-XSS-Protection: 0");