String starting with "JavaScript:" would cause false alarm of IE XSS filter

Jun 12, 2015

Recently I was adding comment function to my blog article pages, IE always prompted message: "Internet Explorer has modified this page to help prevent cross-site scripting" when browsing a specific article page. After debugging by Fiddler, I found the reason was that the article title began with: JavaScript:, which triggered the XSS filter considering it as a javascript protocol string and blocking the web page. Actually the title was just a normal string without any script code.

Symptom

IE always prompted message: "Internet Explorer has modified this page to help prevent cross-site scripting" in a specific article page after adding Disqus comment module to all blog article pages.

Analysis

By adding breakpoint to all HTTP requests from Disqus in Fiddler, I found that IE prompted the XSS warning once the following request finished.

https://disqus.com/embed/comments/?base=default&version=f8c7fb3e481e395d73402c004723f1b9&f=joji-me&t_i=html-attribute-vs-dom-property&t_u=http%3A%2F%2Fjoji.me%2Fblog%2Fhtml-attribute-vs-dom-property&t_e=JavaScript%3A%20What%26%2339%3Bs%20the%20difference%20between%20HTML%20attribute%20and%20DOM%20property%3F&t_d=JavaScript%3A%20What's%20the%20difference%20between%20HTML%20attribute%20and%20DOM%20property%3F&t_t=JavaScript%3A%20What%26%2339%3Bs%20the%20difference%20between%20HTML%20attribute%20and%20DOM%20property%3F&s_o=default&l=en

I went a step further to locate the root cause by replacing the response content in Fiddler and found that it was caused by the article title: JavaScript: What's the difference between HTML attribute and DOM property? starting with string: JavaScript:. The Disqus IFRAME page contained the title in URL query parameter and JSON string. The problem went away after removing: JavaScript:.

It seems that the IE XSS filter simply checks whether the string starts with JavaScript: rather than checks the whole string is real script code or not.

Solutions

  1. Disable the IE XSS filter in IE security zone setting. It's not a viable solution since it's a client side solution.
  2. Add HTTPS response header: X-XSS-Protection: 0, however this solution is still infeasible as it needs to be done from Disqus server side.
  3. Currently I have to manually change the article title in Disqus management site to avoid the false alarm from IE XSS filter.

In the long term, I'm still hoping IE team can improve the XSS filter detect logic to fix this issue. I have already submitted the issue to IE feedback: IE11 needlessly prompts XSS warning for harmless web content with reproduce page: http://joji.me/test/ie-xss/.