IE8 XSS filter: what does it really do?

Question

Internet Explorer 8 has a new security feature, an XSS filter that tries to intercept cross-site scripting attempts. It\'s described this way:

The

Answer 1

You should send me (ericlaw@microsoft) a network capture (www.fiddlercap.com) of the scenario you think is incorrect.

The XSS filter works as follows:

1. Is XSSFILTER enabled for this process?
   If yes– proceed to next check If no – bypass XSS Filter and continue loading
2. Is a "document" load (like a frame, not a subdownload)? If yes– proceed to next check If no – bypass XSS Filter and continue loading
3. Is it a HTTP/HTTPS request? If yes– proceed to next check If no – bypass XSS Filter and continue loading
4. Does RESPONSE contain x-xss-protection header? Yes: Value = 1: XSS Filter Enabled (no urlaction check) Value = 0: XSS Filter Disabled (no urlaction check) No: proceed to next check
5. Is the site loading in a Zone where URLAction enables XSS filtering? (By default: Internet, Trusted, Restricted) If yes– proceed to next check If no – bypass XSS Filter and continue loading
6. Is a cross site Request? (Referrer header: Does the final (post-redirect) fully-qualified domain name in the HTTP request referrer header match the fully-qualified domain name of the URL being retrieved?) If yes – bypass XSS Filter and continue loading If no – then the URL in the request should be neutered.
7. Does the heuristic indicate of the RESPONSE data came from unsafe REQUEST DATA? If yes – modify the response.

Now, the exact details of #7 are quite complicated, but basically, you can imagine that IE does a match of request data (URL/Post Body) to response data (script bodies) and if they match, then the response data will be modified.

In your site's case, you'll want to look at the body of the POST to http://h30405.www3.hp.com/print/start and the corresponding response.