Open GoogleCodeExporter opened 8 years ago
Actually, I really need to have google send the header:
X-XSS-Protection 0
for responses which edit google records.
which would suppress the xss filter. Not sure what benefit having this xss
filter is for these internal communications. The user has already explicitly
granted permission for my application to access this data. Further, the data
format that you are expecting is pretty darn particular - there seems no
opportunity to inject something erroneous into it without your servers
detecting it and returning an explicit error back. I know from firsthand
experience that your API is extremely picky about the data that it will accept
- if I so much as provide an empty string in the wrong place
As it stands now, there's a black box between my application and google and
that black box is blocking my communications between my application and google
servers and I can find no way to suppress that black box from my end.
I would be happy to set up a test account with our application so you can do a
synchronization and see this error first-hand. Hard to tell precisely what is
triggering this error, but it looks like IE9 has some sort of algorithm where
it triggers if several calls to the API are made repeatedly. That is pretty
typical for our code as we do 2-way synchronization with contacts api.
Therefore, we can easily be making several thousand calls consecutively as we
make individual changes (creation, modification, deletion) of each individual
contact record.
thanks,
Scott Schmitz
Original comment by sc...@realorganized.com
on 28 Mar 2011 at 2:52
I am having the exact same problem. The only way I have found to work around
this issue is to turn internet explorer security down to Medium Low. Is there
any update on this issue? Do you have any work arounds?
Original comment by aaron.au...@gmail.com
on 7 Sep 2011 at 6:09
I spoke with the engineer responsible for this particular security flag and
they say that they will not be changing their detection algorithm. They have
recommended that Google stop sending that header. If the header is not sent,
then all will be OK. The problem is flag is asking IE to be extremely paranoid
about the data - and so we get the error.
How about it google? Can you strip that flag, or perhaps allow an API setting
to request that the header not get included?
Original comment by sc...@realorganized.com
on 15 Dec 2011 at 2:04
Original issue reported on code.google.com by
sc...@realorganized.com
on 28 Mar 2011 at 2:33