My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 25: "Internet Explorer has modified this page to prevent cross-site scripting"
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by SSchmit...@gmail.com, Sep 12, 2010
I am using the Javascript API and get this error when I run my application that modifies a contact record:

"Internet Explorer has modified this page to prevent cross-site scripting"

I was able to eliminate the error by adding my domain to the "trusted Sites" list in IE8 and get everything to work just fine.

However, In reading this tech note:
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

It looks like this problem can be completely eliminated by adding:
X-XSS-Protection: 0

to your https header that you are sending.  Could google API do that?  I think it would be helpful.

thanks,

Scott.
Sep 12, 2010
#1 SSchmit...@gmail.com
I have added the header:
X-XSS-Protection: 0

to my html page which is running the Javascript which calls the Google code and this turned off the errors I was seeing in IE8.
Apr 21, 2011
#2 SSchmit...@gmail.com
I spoke with the engineer responsible with the XSS filter in IE.  He tells me that this XSS Protection header must be turned off from the Google side.  Without having that XSS filter turned off, the XSS filter believes that google contacts api calls to create contacts are some kind of brute force attack after creating around 13 records.

I would recommend that Google turn off the XSS filter off - to 0.
Sign in to add a comment

Powered by Google Project Hosting