IE8 XSS Filter Question

Question

The IE8 cross site scripting filter seems to be causing some intermittent issues with our app. To be honest, I have not yet isolated it, and it may very well be some sort of IE8 add-on, or, some security software, but there seems to be at least some relationship to the new xss filter in IE8.

I have done some preliminary research, and the issue I have is, I cannot seem to find reliable, detailed documentation on exactly what causes the IE8 xss filter to kick in.

In our case, the html page created by our application can live anywhere (typically on a users website, but could also be a local document, or could be emailed to someone as an attachment), but does a form post back to another site (our site), so the action attribute of the form is a full url, as opposed to a relative one. Note there is no ajax going on here - just a standard html form posting data.

What appears to be happening (although we can not reproduce it yet) is that IE8 strips out the action= url from the page, thereby causing the click of the SUBMIT button to do nothing (no error, just nothing happens - wonderful).

As far as I can tell, the xss filter should not be doing this, but again, its kind of sketchy. I suspect perhaps some other add-on or security software may be causing this, but so far, we have been unable to isolate it.

Are there any experts out there that have some familiarity with this kind of issue that may be able to shed some light or point me in the correct direction?

Thanks.

Answer 1

Have you tried starting IE8 in Administrator mode and see if it works? My experience has been security is usually the root of the problem when my web pages fail.

Answer 2

If it's the XSS filter, IE should pop up an informational message stating what's happening. Given your description of where the HTML file is located, I think the issue is that it's a POST across different security zones that makes IE not like it, especially when the HTML page is emailed to someone.