ERR_BLOCKED_BY_XSS_AUDITOR error in Google Chome - How to fix it

Google Chrome disabilita Java e Silverlight ma è possibile riattivarli fino a settembre

With the recent Chrome 57 build, the XSS auditor detection (and blocking capabilities) has been improved to the point that many web-based services suddendly stopped working giving this rather obscure HTTP error:

ERR_BLOCKED_BY_XSS_AUDITOR

The issue is almost always caused by some HTML-formatted content being sent via POST within the request, which is a rather common behavior for a number of modern web tools and features - such as WYSIWYG editors, interactive uploaders, AJAX-based CMS real-time updates, and so on.

When the tool is developed by third-parties, the best thing you can do is to open an issue with the developers and make them go through the hassle: however, there are scenarios where you *need* to anticipate the fix by yourself, not to mention the cases when *you* are the tool developer. This is what happened to me yesterday, when I had to apply a quick fix to a tool I coded for a friend of mine a while ago: an interactive electronic invoice display which follows the recent italian electronic invoice PA standards.

What I did there was use an AJAX-based function to pass the whole content of an entire HTML page and then displaying it using the same HTTP request, which was the only working way I found to support the drag-and-drop feature in a cross-browser way: more specifically, I couldn't use the great HTML5 native drag-drop feature because it's not working well in IE < 10, which I really had to support. The script worked really well until a couple days ago, when it suddenly started to raise the above error. After digging here and there, I finally stumbled upon this post which (kinda) explained the fact.

According to the post author, the most straightforward way to overcome the issue was adding the following key/value pair to the response headers:

This can be done in a number of ways, depending on the server-side technology you're using.

ASP.NET

Add the following within the Web.Config file:

Or just add a HttpContext.Current.Response.AppendHeader("X-XSS-Protection", 0)  within your MVC controller/ASPX page code.

PHP

Use the Header function to add something like the following before the first ouput:

... And so on.

Unfortunately, such approach didn't fix my problem at all. Then I thought about getting rid of the raw HTML code by encoding it in some convenient way, such as the always-good Base64 schema... And I had much better luck with that.

What I did was downloading this neat jQuery-base64 plugin (many thanks to the author, Tao Klerks), adding it to my HTML page using a standard <script> element within the <head> block and then encoding the input right before POSTing it in the following way:

Then I switched to the server-side PHP code and base64-decoded the received input from the result page - using the PHP-native base64_decode function - in the following way:

... And that was enough to get rid of the ERR_BLOCKED_BY_XSS_AUDITOR error.

That's it for now: happy coding!

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

2 Comments on “ERR_BLOCKED_BY_XSS_AUDITOR error in Google Chome - How to fix it”

  1. HUGELY helpful, thank you! I was able to get it to work using the “header(‘X-XSS-Protection: 0’);” in php. At first it didn’t work, when I made that the first line of output. But php documentation always shows header functions right after the opening tag. I put it there, and worked like a charm. THANK YOU!

  2. Thank you very much for your post.
    Helped me a lot.
    Update for .net core 2.0 mvc projects, use :
    HttpContext.Response.Headers.Add(“X-XSS-Protection”, “0”);
    return View(model);

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.