[webkit-dev] XSSAuditor now on by default---be on the lookout for compat issues

Adam Barth abarth at webkit.org
Fri Jul 10 23:17:28 PDT 2009

Hi webkit-dev,

We've been working on a feature to automatically detect and block some
kinds of cross-site scripting (XSS) attacks.  I'm excited to say that
we've turned the feature on by default today, but we need your help to
be on the lookout for false positives: non-attacks mistakenly blocked
by the auditor.

Symptoms: Some script on a web site doesn't run.
Diagnosis: Look at the Web Inspector's console for a message a script
being blocked.

If you find a false positive, please file a bug and CC me.  We'll try
to see if there's a way to eliminating the false positive without
introducing any false negatives (real attacks mistakenly not blocked
by the auditor).  If we get too many false positives, we'll disable
the feature while we sort out what to do.

Thanks for your help!

More information about the webkit-dev mailing list