How we built it

XSS Auditor blocks by default

Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.

Documentation

Status in Chromium

Enabled by default (launch bug) in:

  • Chrome for desktop release 57
  • Chrome for Android release 57
  • Android WebView release 57
  • Opera release 44
  • Opera for Android release 44

Consensus & Standardization

  • Mixed public signals
  • Mixed public signals
  • Mixed public signals
  • Mixed signals

Owner

Last updated on 2016-11-23