Tags:
create new tag
, view all tags

Feature Proposal: Disable XSS Protection for JavaScript

Motivation

In recent browsers, XSS protection filter disables JavaScript right after the TWiki topic is saved, as it is considered as a risk of reflective XSS attack (where the same JS code is contained in both the HTTP request and response). However, it is inconvenient when a TWiki application with JavaScript is being developed.

References:

Description and Documentation

The XSS filter can be disabled by adding X-XSS-Protection: 0 HTTP response header. A proposed implementation is to provide an option as $TWiki::cfg{DisableXSSProtection} so that the TWiki administrators can choose to disable it.

Examples

Impact

WhatDoesItAffect: Security, Usability

Implementation

-- Contributors: Mahiro Ando - 2013-03-05

Discussion

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2013-09-19 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.