Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.


Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 57
  • Chrome for Android release 57
  • Android WebView release 57

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • Mixed signals


Last updated on 2020-11-09