|
|
|
|
|
|
by koto1sa
2534 days ago
|
|
|
Well, the age of in-browser reflected xss filters is simply over. This was a flawed idea for multiple reasons, and they are thankfully now gone from Chrome and Edge (https://portswigger.net/daily-swig/xss-protection-disappears...). I guess from modern browsers only Safari still has one. There are modern XSS defenses you can use, XSS filters just did not stand well the test of time. I would state that it is good if your XSS works in Chrome, just like it works in Firefox. That XSS should be fixed by the website, instead of that website owners neglecting the fix and assuming they're protected because the alert doesn't fire in Chrome. Especially given that if the attacker spends a bit of time tailoring the payload, they may bypass the auditor. |
|
|
What if a website doesn't fix its XSS vulnerabilities and continues to spew attacker-controlled content? I don't think it will help users to base browser security on "shoulds".
I've been taught that security should be built in layers. Removing a functioning albeit not perfect layer for no good reason is baffling to me.