New issue
Advanced search Search tips
Starred by 5 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

ERR_BLOCKED_BY_XSS_AUDITOR on bona fide site when posting to a forum

Reported by paddylan...@gmail.com, Mar 28 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36

Steps to reproduce the problem:
Posting to a forum, or sending PMs, will sometimes cause Chrome to display an error message.

This page isn't working. Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers and credit cards).
Try visiting the site's homepage.
ERR_BLOCKED_BY_XSS_AUDITOR

This happens regularly, not always, and I have not been able to discern a pattern. However, a reproducible example is given below.

I have tested this:
• On Chrome 57
• With all extensions disabled
• In a new user
• On a fresh installation of Chrome 58 (beta) without any extensions added

Searching for answers, I found that a number of people have reported this problem on various forums. The only way around this (apart from using a different browser!) is to disable XSS checking:
google-chrome --disable-xss-auditor
This is obviously not a good idea.

Steps to reproduce:

1. Go to Ubuntu Forums (https://ubuntuforums.org) and log in.

2. Choose any forum, and press Post New Thread.

3. Enter anything for the subject.

4. In the message area, enter this text:

[QUOTE=xxxxxxxxxxxx]Have a look at Ubuntu Forums.[/QUOTE]
Test message

5. Highlight "Ubuntu Forums" and create a link with it.

6. Press Preview Post (not Submit New Thread).

What is the expected behavior?
The request is sent to the site, which returns a preview of the message and the ability to continue working.

What went wrong?
Chrome does not send the request to the site, but instead presents the following error message.

This page isn’t working

Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers and credit cards).
Try visiting the site's homepage.
ERR_BLOCKED_BY_XSS_AUDITOR

Screenshot attached.

Did this work before? Yes 56, I believe

Chrome version: 57.0.2987.110  Channel: stable
OS Version: Ubuntu 16.04 64-bit
Flash Version: Shockwave Flash 25.0 r0
 
Screenshot from 2017-03-28 18-11-01.png
25.6 KB View Download

Comment 1 by tsepez@chromium.org, Mar 28 2017

Status: WontFix (was: Unconfirmed)
This appears to be a case where the site owner will need to specify x-xss-protection: 0 heaer since it is posting HTML back to itself.

Is there any way to make this issue public, please? It doesn't need to be restricted to the Security Team only. Thank you.
Labels: -Restrict-View-SecurityTeam allpublic
Sure. Removed the view restriction.
Thank you for removing the restriction.

I see that there is a related bug report:

https://bugs.chromium.org/p/chromium/issues/detail?id=702542
Thank you so much for making this public. 

My large forum at www.screamandfly.com (over 80,000 registered readers) was experiencing this issue, and the requisite emails from confused users asking what the message means. Many users are frightened by the wording of that error. To the uninitiated, the error message appears as if the site may be installing malware on their computer, which is absolutely not the case.

We added the 'protection "0"' header which seems right now to have mitigated the issue, however I would rather not have this as a permanent fix.  I haven't been able to fully test this temporary fix yet though. 

We have begun sending a newsletter recommending Firefox to all users for the time being.

I will continue to watch this and I am happy to help in any way I can. If Chrome's auditor could revert to the way it was in version 56, that would be ideal. Up until the latest version of Chrome was installed last week, I have never before encountered this message and I too became concerned by its wording, which brought me here.

Comment 6 by dc3de...@gmail.com, Aug 10 2017

This happens when you post to a forum system (e.g., vBulletin) and within your post, you refer to another post. This common practice has been made super-cumbersome. For example, ..." yes we were discussion this very thing last month in {hyperlink and title of another forum post} ..." 

This needs to be dialed back. It obviously didn't get subjected to enough field testing ha ha.  

Sign in to add a comment