Comments (7)
Thanks Arnout, I'll dig into it. appreciate the heads up.
Arnout Kazemier wrote:
There used to a bug in the XSS filters in Internet Explorer which
actually enabled XSS attacks instead of preventing it. Making sites
which would normally be safe vulnerable for attacks.So helmet could actually make sites more vulnerable instead of
protecting them. The simplest solution would be disabling the filter
for IE8 as this fix was most certainly landed in IE9 > as I doubt it
can be detected by UA sniffing. If you feel it's not worth to fix
this.. Please consider adding a note to the README file so developers
know that they potentially expose them selfs to XSS attacks.Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002—
Reply to this email directly or view it on GitHub
#26.
from helmet.
Setting the header X-XSS-Protection: 0
isn't totally a solution, because Chrome respects it. With no header set, it'll block the script from running but keep the page:
With the header set to X-XSS-Protection: 1; mode=block
, it redirects to a blank page.
And with it set to 0
, it actually runs the script (bad news!):
My adventures in Firefox never ran the script. If you're interested, here's the PHP I used to test this:
<?php
// Uncomment these to see the magic...
/* header('X-XSS-Protection: 0'); */
/* header('X-XSS-Protection: 1; mode=block'); */
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>test thing</title>
</head>
<body>
<p>Hello, <?php echo $_GET['name'] ?>!</p>
<p>The above code looks like this:</p>
<pre>Hello, <?php echo $_GET['name'] ?>!</pre>
</body>
</html>
This might be another browser-sniffing adventure...
from helmet.
Per my understanding [which may be incorrect, only skimmed Arnout's links] the trouble was with IE's page rewriting — the vulnerability was in "fixup" mode as it were. By sending mode=block
is the vulnerability avoided, or did IE8 not support that option to begin with?
from helmet.
FWIW, there's no mention of mode=block
on the original announcement but I guess that doesn't rule out they added it to IE8 as a security patch.
from helmet.
This isn't an easy thing to solve. If you include it, you make people on new browsers safer and people on old browsers vulnerable to complex attacks. If you don't include it, you make people on all browsers less safe.
I think the algorithm is this:
if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
res.setHeader('X-XSS-Protection', '0');
}
I think you should have to opt in to setting the header for IE 8 and below. I think the API should look like this:
app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));
And, of course, add a lot of information about this in the README.
Does this sound good?
from helmet.
I think this is perfectly acceptable, specifically the part about
documenting the concern in the README.
Evan Hahn wrote:
This isn't an easy thing to solve. If you include it, you make people
on /new/ browsers safer and people on /old/ browsers vulnerable to
complex attacks. If you don't include it, you make people on /all/
browsers less safe.I think the algorithm is this:
if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
res.setHeader('X-XSS-Protection', '0');
}I think you should have to opt /in/ to setting the header for IE 8 and
below. I think the API should look like this:app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));And, of course, add a lot of information about this in the README.
Does this sound good?
—
Reply to this email directly or view it on GitHub
#26 (comment).
from helmet.
Working on it now!
from helmet.
Related Issues (20)
- Getting Error Type 'typeof import("/home/quophyie/projects/helmet-issue/node_modules/helmet/index")' has no call signatures when running tests with jest, ts-jest when using ESM / ECMAScript Modules HOT 13
- helmet + sanitizeFilter HOT 1
- Require Node 18+ HOT 5
- Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`? HOT 1
- Typescript required versions HOT 2
- 7.1.0 Rollup error HOT 17
- Disable HSTS headers by default on localhost HOT 9
- Error "script-src-elem" is an invalid directive HOT 3
- 'self' and 'none' values lack quotes HOT 4
- swagger HOT 2
- Getting Name of Blocked Script? HOT 3
- Increase default Strict-Transport-Security maxAge to 1 year HOT 3
- remove block-all-mixed-content from helmet-csp default directives HOT 6
- helmet default directives doesnt match helmet-csp default directives HOT 3
- Strict-Transport-Security middleware should throw, not warn, when misspelling "includeSubDomains" option HOT 2
- Content-Security-Policy `getDefaultDirectives` should return a deep copy HOT 3
- csp header lack `script-src-elem` HOT 4
- [feature request] "simple allow everything" setting for development work? HOT 5
- Question: XSS HOT 3
- Request to add `Permissions-Policy` header HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmet.