IE 8 XSS Filtering – To Disable

We have several sites in our local network that have found their way onto Internet Explorer 8′s bad list when it comes to XSS. These are not necessarily sites we have developed but part of 3rd party published applications that provide a web interface. There’s a quick way to disable this for trusted sites through IE settings which I will show below. First, let’s take a look at what XSS is…

What is XSS? Is it like CSS?
XSS stands for “Cross-Site Scripting.” It is one of manymethods a hacker can use to exploit a site and gain information from a user. Basically code (usually Javascript) is injected or included in a page that makes referece back to another site providing a method for access and transmission of information. For examples see the cheat sheet of code at this site. You can also read the Wikipedia article.

How do I bypass the filter for trusted sites?
Generally you woudn’t want to turn the XSS filtering in IE 8 off at a global level unless there is a great reason to do so. What I have done is added the site I want to adjust to my trusted sites group and then manipulated my trusted site settings.

Head to Tools -> Internet Options -> Security. Click on “Trusted Sites” and click the “Custom Level” button.
Scroll down in the options until you see “Enable XSS Filter” and choose “Disable”

disable_xss_cross-site-scripting

While you are in there you also may want to adjust for mixed http and https content. You can do that in the heading “Display Mixed Content” 

disable_https_issues

I hope you found this post useful … it’s just one of those things we learn as IE 8 is used more. Overall I’m very thankful for the update IE 8 has provided.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>