Fix: ERR_BLOCKED_BY_XSS_AUDITOR

Kevin ArrowsUpdated on March 10, 2023
Kevin is a certified Network Engineer

Chrome is constantly under active development with new versions released every now and then to include new features and security improvements. Chrome is not only used for browsing; it is also used for many web services which developers make use of.

ERR_BLOCKED_BY_XSS_AUDITOR in Chrome

With the recent Chrome 57 build, the XSS auditor detection was vastly improved. They had new guidelines set due to which the web-services stopped working and gave the error message ‘ERR_BLOCKED_BY_XSS_AUDITOR’.

This error message is caused when HTML content is being sent via POST method inside the request. Google Chrome has an XSS Security feature which always analyzes the HTML being submitted via forms and blocks those requests. This way, the forms are never sent through and XSS exploits are avoided.

What causes the error message ‘ERR_BLOCKED_BY_XSS_AUDITOR’ in Chrome?

Like mentioned before, the recent build of Chrome revamped the XSS Auditor so the XSS vulnerabilities are not exploited. Because of this, you might receive the error message if you have not updated your source code accordingly.

Most of the time, there is a false positive when the browser believes that a ‘cross-site scripting’ attack is being forced. These attacks primarily occur when the browser is tricked into rendering JavaScript or HTML which is not part of the display aspect of the website.

Solution (If you administer the website)

If you are a website administrator and this error message is occurring when you are having a normal usage, you can try to remove it by adding some page headers into the POST headers. This is a temporary fix until you can come with a proper alternative which properly handles the XSS Auditor request.

PHP

Add the following header in your PHP file:

header('X-XSS-Protection:0');

ASP.NET

Here we are disabling the XSS protection temporarily until you can add the proper handler in your source code.

HttpContext.Response.AddHeader("X-XSS-Protection","0");

If you are configuring the Web.Config file, you can add the following code instead:

<system.webServer>

    <httpProtocol>

        <customHeaders>

            <add name="X-XSS-Protection" value="0" />

        </customHeaders>

    [...]

ASP.NET Server Request Validation

In some cases, the server will reject the POST request even if we have added the required header. Another workaround is to use ‘Request.Unvalidated’ which will be an object created specifically to handle the obtaining of ‘unsafe’ data request.

var code = Request.Unvalidated.Form["code"];

This will most probably only work for ASP.NET Request Validation.

If you are using web forms, you can use:

<@ Page validateRequest="false" %>

If you are making use of MVC, we can make use of ‘[ValidateInput(false)]’ which is an attribute on the controller. This is done to prevent validation.

[ValidateInput(false)]

public ActionResult Convert(CodeRequest request)

{ ... }

IIS HttpRuntime Settings

IIS Express is used by Visual studio for web services and is one of the most used architectures to date. When you are using ASP.NET, IIS might block your request even before ASP.NET gains control. We will try to turn this off in web.config and try to gain the old behavior using the following code:

<httpRuntime requestValidationMode="2.0"/>

If we do not do this, IIS will fail and reject the request even before it is passed on to ASP.NET.

Note: These workarounds are good idea if your website is inaccessible and is causing you a loss. You should always modify your source code so you can handle the XSS Auditor properly. Only use these temporarily until you can work out a proper fix.

Solution (If you do not administer the website)

If you are a regular user and do not have access or administer the website, you can try launching Chrome without the XSS Auditor. We will create a shortcut of Google Chrome and add the necessary flags to launch it in our condition.

  1. Right-click anywhere on your desktop and select New > Shortcut.
  2. Now paste the following lines of code according to the version of Google Chrome installed on your computer.

For 64-bit Chrome

"C:\Program Files\Google\Chrome\Application\chrome.exe" -disable-xss-auditor

For 32-bit Chrome

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -disable-xss-auditor
Opening Chrome with XSS Auditor Disabled
  1. Your Chrome shortcut will now be created. Now try accessing the website and check if the error message is resolved.

Note: This method is disabling XSS Auditor on your browser which is an integral part of the security mechanism. Please proceed at your own risk and it is recommended that you only use this feature temporarily.

Kevin ArrowsUpdated on March 10, 2023
Kevin is a certified Network Engineer
ABOUT THE AUTHOR
Photo of Kevin Arrows

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.