aseps3472 / gdata-javascript-client

Automatically exported from code.google.com/p/gdata-javascript-client
0 stars 0 forks source link

"Internet Explorer has modified this page to prevent cross-site scripting" #25

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I am using the Javascript API and get this error when I run my application that 
modifies a contact record:

"Internet Explorer has modified this page to prevent cross-site scripting"

I was able to eliminate the error by adding my domain to the "trusted Sites" 
list in IE8 and get everything to work just fine.

However, In reading this tech note:
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filte
r.aspx

It looks like this problem can be completely eliminated by adding:
X-XSS-Protection: 0

to your https header that you are sending.  Could google API do that?  I think 
it would be helpful.

thanks,

Scott.

Original issue reported on code.google.com by SSchmit...@gmail.com on 12 Sep 2010 at 6:02

GoogleCodeExporter commented 8 years ago
I have added the header:
X-XSS-Protection: 0

to my html page which is running the Javascript which calls the Google code and 
this turned off the errors I was seeing in IE8.

Original comment by SSchmit...@gmail.com on 12 Sep 2010 at 10:54

GoogleCodeExporter commented 8 years ago
I spoke with the engineer responsible with the XSS filter in IE.  He tells me 
that this XSS Protection header must be turned off from the Google side.  
Without having that XSS filter turned off, the XSS filter believes that google 
contacts api calls to create contacts are some kind of brute force attack after 
creating around 13 records.

I would recommend that Google turn off the XSS filter off - to 0.

Original comment by SSchmit...@gmail.com on 21 Apr 2011 at 3:36