With the recent Chrome 57 build, the XSS auditor detection was vastly improved. They had new guidelines set due to which the web-services stopped working and gave the error message ‘ERR_BLOCKED_BY_XSS_AUDITOR’. This error message is caused when HTML content is being sent via POST method inside the request. Google Chrome has an XSS Security feature which always analyzes the HTML being submitted via forms and blocks those requests. This way, the forms are never sent through and XSS exploits are avoided.
What causes the error message ‘ERR_BLOCKED_BY_XSS_AUDITOR’ in Chrome?
Like mentioned before, the recent build of Chrome revamped the XSS Auditor so the XSS vulnerabilities are not exploited. Because of this, you might receive the error message if you have not updated your source code accordingly. Most of the time, there is a false positive when the browser believes that a ‘cross-site scripting’ attack is being forced. These attacks primarily occur when the browser is tricked into rendering JavaScript or HTML which is not part of the display aspect of the website.
Solution (If you administer the website)
If you are a website administrator and this error message is occurring when you are having a normal usage, you can try to remove it by adding some page headers into the POST headers. This is a temporary fix until you can come with a proper alternative which properly handles the XSS Auditor request.
PHP
Add the following header in your PHP file:
ASP.NET
Here we are disabling the XSS protection temporarily until you can add the proper handler in your source code. If you are configuring the Web.Config file, you can add the following code instead:
ASP.NET Server Request Validation
In some cases, the server will reject the POST request even if we have added the required header. Another workaround is to use ‘Request.Unvalidated’ which will be an object created specifically to handle the obtaining of ‘unsafe’ data request. This will most probably only work for ASP.NET Request Validation. If you are using web forms, you can use: If you are making use of MVC, we can make use of ‘[ValidateInput(false)]’ which is an attribute on the controller. This is done to prevent validation.
IIS HttpRuntime Settings
IIS Express is used by Visual studio for web services and is one of the most used architectures to date. When you are using ASP.NET, IIS might block your request even before ASP.NET gains control. We will try to turn this off in web.config and try to gain the old behavior using the following code: If we do not do this, IIS will fail and reject the request even before it is passed on to ASP.NET. Note: These workarounds are good idea if your website is inaccessible and is causing you a loss. You should always modify your source code so you can handle the XSS Auditor properly. Only use these temporarily until you can work out a proper fix.
Solution (If you do not administer the website)
If you are a regular user and do not have access or administer the website, you can try launching Chrome without the XSS Auditor. We will create a shortcut of Google Chrome and add the necessary flags to launch it in our condition. For 64-bit Chrome For 32-bit Chrome Note: This method is disabling XSS Auditor on your browser which is an integral part of the security mechanism. Please proceed at your own risk and it is recommended that you only use this feature temporarily.
FIX: Steps to fix iPhone 6 Error 4013FIX: Steps to fix a corrupted pst or ost outlook data fileFIX: Steps to Fix Error ERR_FILE_NOT_FOUNDFix: You need to fix your Microsoft Account for apps on your other devices to be…
