Buzz
Microsoft introduced the XSS filter in 2008, initially integrating it into Internet Explorer 8 and later extending it to Edge. Other browsers like Google Chrome and Safari also adopted the XSS filter over time.
XSS Filter on Microsoft Edge Web Browser Ceases Operation
How does the XSS filter operate?
This security feature is also known as X-XSS-Protection. The name is recognized because website owners can configure the HTTP header named X-XSS-Protection for their web server.
When the browser loads a page from these sites and detects the header, it triggers XSS protection filters based on those headers, which could have one of three values:
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
When the browser detects the header 'X-XSS-Protection: 0', it will deactivate the XSS protection filter.
Upon encountering the header 'X-XSS-Protection: 1', the browser will sanitize the page's code and remove specific patterns for XSS attacks.
When detecting 'X-XSS-Protection: 1; mode=block', the browser will block the display of any content on the page if it identifies specific patterns for XSS attacks.
The Edge browser uses the second value as the default, meaning it will attempt to sanitize the code of any loaded webpage, regardless of whether the webpage's header is configured with X-XSS-Protection or not.
Edge's XSS Filter is not activated by default
Recently, security researcher Heyes discovered that the XSS filter on the Edge browser is not functioning correctly and is disabled by default.
According to the researcher, the XSS filter is supposed to be activated by default. However, it remains disabled; even when attempting to enable X-XSS-Protection: 1, the filter stays deactivated.
The reason why the XSS filter is turned off by default for all websites is yet to be revealed. Microsoft and the Edge development team have not issued any official statements on this matter.
It is likely not an intentional configuration from Microsoft but a glitch. The feature still works normally and is activated on the Internet Explorer browser. If Microsoft wanted to, they would have had to remove this feature from both browsers.
Furthermore, it's possible that the XSS Filter is still not activated on the Edge browser. However, when specific websites use the security level setting 3, which most website owners avoid due to its restriction on Edge displaying websites, the XSS Filter may not be activated.
Heyes emphasizes that the only way to activate the XSS filter is by using the setting X-XSS-Protection: 1; mode=block.
Regarding Microsoft's response, the company stated that they haven't provided any further comments or information to the security firm PortSwigger after issuing comments earlier this week.
Scenario: XSS filter removed
Researchers at PortSwigger also present a hypothesis in the case of the removal of the XSS filter. There are numerous reasons not to dismiss this possibility.
Firstly, researchers may overlook the feature or misuse it to carry out other attacks on basic browsers.
Secondly, Mozilla has never aligned with this feature, and the development company supports an anti-XSS mechanism endorsed by cross-browser support.
Thirdly, according to MDN, the official documentation site for web features, the XSS filter is no longer as crucial as before:
'While these protective measures are largely unnecessary on modern browsers when websites implement Content-Security-Policy, disabling the use of unsafe JavaScript, these measures can still safeguard users on older web browsers that support CSP.'
Fourthly, website owners often misunderstand this feature and misconfigure their websites, so the feature is rarely fully utilized.
Lastly, whether it's a bug or Microsoft's intention to disable it, the XSS filter still fails to attract significant user interest.
When using the Microsoft Edge browser, don't overlook the shortcut combinations for quicker operations. Find the list of Edge keyboard shortcuts here.
As an excellent command-line tool for Windows, PowerShell for Ubuntu is available as a Snap, making it easy for users of this operating system to use PowerShell with just a few simple installation commands.
