此响应标头可用于配置用户代理内置的反射XSS保护。目前,只有微软的Internet Explorer,谷歌Chrome和Safari (WebKit)支持此标头。
Internet Explorer 8包含了一项新功能,可以帮助防止反射的跨站点脚本攻击,即XSS筛选器。默认情况下,此筛选器在Internet、受信任和受限安全区域中运行。本地Intranet区域页面可以使用相同的头部选择加入保护。
关于你在问题中发布的标题,
头部X-XSS-Protection: 1;mode=block启用XSS过滤器。当检测到XSS攻击时,浏览器不会清除页面,而是会阻止页面的呈现。
在2010年3月,我们为IE8添加了一个新的令牌支持
保护头,mode=block。
X-XSS-Protection: 1; mode=block
当存在此令牌时,如果存在潜在的XSS反射攻击
检测到,Internet Explorer将阻止页面的呈现。
而不是试图消毒页面,以外科手术删除
XSS攻击,IE只会渲染“#”。
Internet Explorer识别出可能的跨站点脚本攻击。
它记录事件并向用户显示适当的消息。的
MSDN文章描述了这个头是如何工作的。
这个过滤器在IE中是如何工作的,
更多关于本文的信息,请访问https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
The XSS Filter operates as an IE8 component with visibility into all
requests / responses flowing through the browser. When the filter
discovers likely XSS in a cross-site request, it identifies and
neuters the attack if it is replayed in the server’s response. Users
are not presented with questions they are unable to answer – IE simply
blocks the malicious script from executing.
With the new XSS Filter, IE8 Beta 2 users encountering a Type-1 XSS
attack will see a notification like the following:
IE8 XSS Attack Notification
The page has been modified and the XSS attack is blocked.
In this case, the XSS Filter has identified a cross-site scripting
attack in the URL. It has neutered this attack as the identified
script was replayed back into the response page. In this way, the
filter is effective without modifying an initial request to the server
or blocking an entire response.
The Cross-Site Scripting Filter event is logged when Windows Internet
Explorer 8 detects and mitigates a cross-site scripting (XSS) attack.
Cross-site scripting attacks occur when one website, generally
malicious, injects (adds) JavaScript code into otherwise legitimate
requests to another website. The original request is generally
innocent, such as a link to another page or a Common Gateway Interface
(CGI) script providing a common service (such as a guestbook). The
injected script generally attempts to access privileged information or
services that the second website does not intend to allow. The
response or the request generally reflects results back to the
malicious website. The XSS Filter, a feature new to Internet Explorer
8, detects JavaScript in URL and HTTP POST requests. If JavaScript is
detected, the XSS Filter searches evidence of reflection, information
that would be returned to the attacking website if the attacking
request were submitted unchanged. If reflection is detected, the XSS
Filter sanitizes the original request so that the additional
JavaScript cannot be executed. The XSS Filter then logs that action as
a Cross-Site Script Filter event. The following image shows an example
of a site that is modified to prevent a cross-site scripting attack.
来源:https://msdn.microsoft.com/en-us/library/dd565647 (v = vs.85) . aspx
Web开发人员可能希望禁用其内容的过滤器。他们可以通过设置HTTP报头来实现:
X-XSS-Protection: 0
关于安全头的更多信息,
设置安全报头的指导原则
安全HTTP头- x - xss保护
MDN Docs X-XSS-Protection
