Cross Scripting Error Internet Explorer 9
Contents |
be down. Please try the request again. Your cache administrator is webmaster. Generated Wed, 05 Oct 2016 23:43:44 GMT by s_hv972 (squid/3.5.20)
be down. Please try the request again. Your cache administrator is webmaster. Generated Wed, 05 Oct 2016 23:43:45 GMT by s_hv972 (squid/3.5.20)
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings http://stackoverflow.com/questions/11045665/what-triggers-internet-explorer-has-modified-this-page-to-help-prevent-cross-si and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/ Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only internet explorer takes a minute: Sign up What triggers “Internet Explorer has modified this page to help prevent cross-site scripting.”? up vote 6 down vote favorite 1 I'm trying to implement a workaround for missing CORS functionality in Internet Explorer. For GET requests I use JSONP, no problem here. For small POST/DELETE/PUT requests I also use JSONP by tunneling the requests through cross scripting error GET but this does not work for larger requests (Because the length of the GET URL is limited). So for large data I try to implement a form POST via an iframe. I can't read the response from this POST because of the same-origin policy so I fetch the response via a JSONP GET request after posting the data. Works great but sometimes I get a strange warning in IE 9: Internet Explorer has modified this page to help prevent cross-site scripting. First I wondered what the hell IE is doing there because even when this warning appears everything still works correctly. Then I found out that IE replaces the content of the hidden iframe AFTER the POST answer (which I can't read and need anyway) with a "#" character. So my workaround still works even when this warning appears but I would like to know what exactly triggers this warning so maybe I can modify my CORS workaround to get rid of this warning. Any hints? javascript internet-explorer jsonp cors share|improve this question asked Jun 15 '12 at 6:3
Feb 2015 0 Internet Explorer, Microsoft, Privacy, Vulnerability, Windows Post navigation Previous: D-Link routers vulnerable to DNS hijackingNext: SSCC 184 - What's the lifespan of a GHOST? [PODCAST] by Paul Ducklin 0Share on Facebook Share on Twitter Share on Google+ Share on LinkedIn Share on Reddit Another day, another zero-day. This time, Microsoft Internet Explorer is attracting the sort of publicity a browser doesn't want, following the public disclosure of what's known as a Cross-Site Scripting, or XSS, bug. With Microsoft apparently now investigating and looking at a patch, the timing of the disclosure certainly looks to be irresponsible. There's no suggestion that Microsoft failed to meet any sort of deadline to get a patch out, or even that the company was contacted in advance. Nevertheless, details of the bug have been revealed, including some proof-of-concept JavaScript showing how to abuse the hole. So, what is XSS, and what does this mean for security? A SOP for security Browser security, as you will have read before on Naked Security, depends heavily on what's called the Same Origin Policy, or SOP. Simply put, any resources specific to site X that are stored locally by the browser, such as cookies and JavaScript data objects, should only subsequently be visible when you are looking at content from site X. In other words, if you visit my site, example.com, and I set a cookie that says, "This user last searched for the word ‘banana'," only JavaScript from my site should ever be able to read that data back. If your next web page is another.example, then my cookie should essentially vanish from view. But if ever you browse back to a page on the example.com site, the ‘banana' cookie will be visible again. There are two obvious reasons for this: Safety. Two sites might set a cookie with the same name, e.g. UserHasLoggedIn. These are different cookies and must not be allowed to clash. Security. Whether a UserHasLoggedIn or not on my site is no business of yours. So my cookie should be kept private. Enter XSS But what if I can rig up a web link or some JavaScript on my site that fetches a page from your site, and somehow adapts it with malicious content of my choice before the user's browser displays it? If I can somehow inject JavaScript of my own into one of your web pages, then my script suddenly has your origin. In theory, I could access your cookies, or read text displayed in your web page, and post the data to a third party site in order to collect