aseps3472 / gdata-javascript-client

Automatically exported from code.google.com/p/gdata-javascript-client
0 stars 0 forks source link

Javascript Google Contacts API and X-XSS-Protection header #35

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I notice that Google API returns

X-XSS-Protection 1

in the headers of the responses to my Google Javascript API requests.  Is there 
a way to get this turned off?  Can I control this value?

I am seeing errors like this from IE9:
"Internet Explorer has modified this site to prevent cross site scripting"

I believe that IE9 filters are incorrectly believing that I am doing something 
illegal?  What I am doing is a 2-way synchronization between our CRM product 
and Google Contacts and Calendar using the Google API.

So, in order for this to succeed, I really need a way to tell IE9 to stop 
flagging these communications as bogus.

Would it be possible to request that this header not be returned?

thanks,

Scott Schmitz

Original issue reported on code.google.com by sc...@realorganized.com on 28 Mar 2011 at 2:33

GoogleCodeExporter commented 8 years ago
Actually, I really need to have google send the header:
X-XSS-Protection 0

for responses which edit google records.

which would suppress the xss filter.  Not sure what benefit having this xss 
filter is for these internal communications.  The user has already explicitly 
granted permission for my application to access this data.  Further, the data 
format that you are expecting is pretty darn particular - there seems no 
opportunity to inject something erroneous into it without your servers 
detecting it and returning an explicit error back.  I know from firsthand 
experience that your API is extremely picky about the data that it will accept 
- if I so much as provide an empty string in the wrong place 

As it stands now, there's a black box between my application and google and 
that black box is blocking my communications between my application and google 
servers and  I can find no way to suppress that black box from my end.

I would be happy to set up a test account with our application so you can do a 
synchronization and see this error first-hand.  Hard to tell precisely what is 
triggering this error, but it looks like IE9 has some sort of algorithm where 
it triggers if several calls to the API are made repeatedly.  That is pretty 
typical for our code as we do 2-way synchronization with contacts api.  
Therefore, we can easily be making several thousand calls consecutively as we 
make individual changes (creation, modification, deletion) of each individual 
contact record.

thanks,

Scott Schmitz

Original comment by sc...@realorganized.com on 28 Mar 2011 at 2:52

GoogleCodeExporter commented 8 years ago
I am having the exact same problem.  The only way I have found to work around 
this issue is to turn internet explorer security down to Medium Low.  Is there 
any update on this issue? Do you have any work arounds? 

Original comment by aaron.au...@gmail.com on 7 Sep 2011 at 6:09

GoogleCodeExporter commented 8 years ago
I spoke with the engineer responsible for this particular security flag and 
they say that they will not be changing their detection algorithm.  They have 
recommended that Google stop sending that header.  If the header is not sent, 
then all will be OK.  The problem is flag is asking IE to be extremely paranoid 
about the data - and so we get the error.

How about it google?  Can you strip that flag, or perhaps allow an API setting 
to request that the header not get included?

Original comment by sc...@realorganized.com on 15 Dec 2011 at 2:04