XSS Auditor blocks by default

Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.


Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 57
  • Chrome for Android release 57
  • Android WebView release 57
  • Opera release 44
  • Opera for Android release 44

Consensus & Standardization

  • Mixed public signals
  • Mixed public signals
  • Mixed public signals
  • Mixed signals


Last updated on 2017-06-14