One of Edge's Cross-Site Scripting protections may be broken

Reading time icon 2 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

In 2008 Microsoft introduced a Cross-site Scripting protection technology called XSS Filter. It allows website owners to tell browsers via the HTTP Header whether external content should be rendered. The technology was later adopted by both Chrome and Safari.

Now it appears the latest version of Microsoft’s Edge browser has dropped the feature, according to security firm PortSwigger.

According to Gareth Heyes, security researcher for firm PortSwigger, the most recent version of Edge no longer used XSS Filter by default, and even when website owners try and activate it Edge no longer responds.

“The XSS Filter is supposed to be on by default,” Heyes said. “However, it is now off by default, and even if you try to turn it on with X-XSS-Protection: 1 it remains off.”

Heyes suspects this is a bug, as Internet Explorer, still bundled with Windows 10, still responds appropriately to the X-XSS-Protection switch, sanitizing web pages appropriately.

“The only way to actually turn it on now is when you have the header X-XSS-Protection: 1; mode=block,” Heyes noted.

The move may, however, be intentional – smart hackers have been able to exploit XSS Filter to rewrite web pages and attack the browser, and Mozilla has never supported the technology, meaning it was never fully supported by websites.

Microsoft has not responded PortSwigger, telling them only “We have nothing to share” when they enquired about the issue.

Read more detail about the issue at BleepingComputer here.

More about the topics: edge, microsoft, windows 10