How to temporarily disable XSS protection in modern browsers for testing?

javascript html security xss
richardkmiller picture richardkmiller · Oct 17, 2012 · Viewed 86.9k times · Source

Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?

I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:

<script>alert("Danger");</script>

However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?

Answer

Zachary K picture Zachary K · Oct 17, 2012

In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:

--disable-web-security

Related questions

XSS - Which HTML Tags and Attributes can trigger Javascript Events?

I'm trying to code a secure and lightweight white-list based HTML purifier which will use DOMDocument. In order to avoid unnecessary complexity I am willing to make the following compromises: HTML comments are removed script and style tags are stripped …

Read More
How does Content Security Policy (CSP) work?

I'm getting a bunch of errors in the developer console: Refused to evaluate a string Refused to execute inline script because it violates the following Content Security Policy directive Refused to load the script Refused to load the stylesheet What's …

Read More
Check if a file exists locally using JavaScript only

I want to check if a file exists locally, where the HTML file is located. It has to be JavaScript. JavaScript will never be disabled. jQuery is not good but can do. By the way, I am making a titanium …

Read More