XSS auditor needs a "continue anyway" option
Reported by
teo8...@gmail.com,
Feb 23 2018
|
|
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Steps to reproduce the problem: I can't reply to issue #813066 because, as usual, it has been unnecessarily and prematurely closed to comments. What is the expected behavior? When content gets blocked by the XSS auditor, the user should have an option to ignore the error and proceed at their own risk, as it happens with ALL other security features (e.g. popup blockers, https invalid certificates, etc) The command-line switch to entirely disable the feature doesn't cover this. What went wrong? > NO, putting security decisions in the hands of the > user is one of the anti-patterns chrome avoids at > all costs. So what about blocked popups and invalid https certificates? Why is it fine to put those security decisions in the hands of the user, but not this one? Did this work before? No Chrome version: 64.0.3282.167 Channel: n/a OS Version: Flash Version:
,
Feb 23 2018
> We are working on removing the options to continue through certificates. > It was a mistake OMG I see, looks like I'll have to change browser if it's taking this direction. Anyway, even assuming that (wrong) standpoint, you should consider two things: 1. https certificate checking is a 100% "scientific", non-heuristic check that can't give false positives (or negatives, for that matter). That's not the case for XSS auditing, which is by its very nature a heuristic thing and will always be susceptible to false positive no matter how good it becomes 2. I guess a day will come when the XSS auditor will be pretty decent at its job and false positives will become rare, but that's still far from happening, so at least until the feature is not mature enough, the "continue anyway" is a must.
,
Feb 23 2018
Thanks for your opinion. |
|
►
Sign in to add a comment |
|
Comment 1 by tsepez@chromium.org
, Feb 23 2018