Designed to help stop Reflected Cross-Site Scripting (XSS) attacks but often exploited to extract information from pages.
Introduced in Internet Explorer 8 back in 2009 as XSS Filter and in Chrome 4 in 2010, controlled by the X-XSS-Protection
HTTP header.
The feature was completely removed in Chrome 78
and in Microsoft Edge in 2018.
It currently works in Safari and WebKit-based browsers (any browser on iOS) only.
X-XSS-Protection
response header:X-XSS-Protection: 1; report=https://artie.has.report/report.php
1
: enable the auditorreport
: where to send the reports toThere's some JavaScript on this page, and hitting the button below will send the same JavaScript in the request. Now, browser sees a request with some code, then the same code comes back in the response, so this must be the Reflected XSS attack! The browser has no idea the code is always there and it's not in fact a Reflected XSS attack but will block it anyway.
<script>console.log('Send this to the page I dare you, I double dare you!');</script>
<form action="?auditor=triggered" method="post">
<input type="hidden" name="some" value="input">
<input type="hidden" name="trigger" value="<script>console.log('Send this to the page I dare you, I double dare you!');</script>">
<button id="trigger" class="blocked">Trigger the XSS Auditor</button>
<span class="browser not-supported hidden">🍌 Not supported in your browser</span>
</form>
This is how the report looks like (or looked like in case of Chrome):
{
"xss-report": {
"request-url": "<URL>",
"request-body": "<post data, if any>"
}
}