Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.

Documentation

Status in Chromium

Blink>SecurityFeature


Enabled by default (tracking bug) in:

  • Chrome for desktop release 57
  • Chrome for Android release 57
  • Android WebView release 57

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • Mixed signals

Owner

Last updated on 2020-11-09