Feature Proposal: Disable XSS Protection for JavaScript
Motivation
In recent browsers, XSS protection filter disables JavaScript right after the TWiki topic is saved, as it is considered as a risk of reflective XSS attack (where the same JS code is contained in both the HTTP request and response). However, it is inconvenient when a TWiki application with JavaScript is being developed. References:- http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx
- http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
- http://stackoverflow.com/questions/1547884/refused-to-execute-a-javascript-script-source-code-of-script-found-within-reque
Description and Documentation
The XSS filter can be disabled by addingX-XSS-Protection: 0 HTTP response header. A proposed implementation is to provide an option as $TWiki::cfg{DisableXSSProtection} so that the TWiki administrators can choose to disable it.
Examples
Impact
Implementation
-- Contributors:
Mahiro Ando - 2013-03-05
Discussion
Topic revision: r4 - 2013-09-19 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.