Feature Proposal: Disable XSS Protection for JavaScript

Motivation

In recent browsers, XSS protection filter disables JavaScript right after the TWiki topic is saved, as it is considered as a risk of reflective XSS attack (where the same JS code is contained in both the HTTP request and response). However, it is inconvenient when a TWiki application with JavaScript is being developed.

References:

Description and Documentation

The XSS filter can be disabled by adding X-XSS-Protection: 0 HTTP response header. A proposed implementation is to provide an option as $TWiki::cfg{DisableXSSProtection} so that the TWiki administrators can choose to disable it.

Examples

Impact

WhatDoesItAffect: Security, Usability

Implementation

-- Contributors: Mahiro Ando - 2013年03月05日

Discussion

Edit | Attach | (削除) Watch (削除ここまで) | Print version | History : r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2013年09月19日 - PeterThoeny
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.

AltStyle によって変換されたページ (->オリジナル) /