Surprisingly, Google Chrome plans to remove the Cross-Site Scripting (XSS) detection tool from its web browser. Introduced in the start of 2010, the XSS feature was built-in the Chrome browser and had helped the company detect cross-site scripting vulnerabilities.
However, the search giant has decided to remove it for – hopefully something better when it comes to user’s protection.
During an XSS attack, the hacker injects its own code into websites either by entering it to a URL or by posting content to a legitimate website. When the innocent user looks at the code entered by the attacker, it carries forward a command in their browser that is able to perform several tasks from stealing the victim’s cookies to infecting their device with a malware.
In an ideal world, the website developers should prevent these types of attacks by enforcing measures that thoroughly scan user-submitted data. Unfortunately, many fail to do so which is why Google introduced the XSS Auditor that tries to detect vulnerabilities while the browser is analyzing HTML. The XSS Auditor utilizes a blocklist to identify any suspicious patterns that are similar to the codes injected by the attackers. This makes it easy for the engineers at Google to filter out nuisance causing XSS code instead of blocking them altogether.
However, the Google Chrome Engineers seems unsatisfied with the Auditor and claims that they were able to find bypasses for them, despite the built-in functionality – thus removing the feature is the best option.
Google security engineer, Eduardo Vela Nava, also issued a statement on Monday that the XSS auditor prevents some legit sites from working and is not as helpful as it seems. Nevertheless, the company is currently developing another tool by the name of Trusted Types that would also force web developers to sanitize codes before using them in their webpage.
Buggy websites have always been a problematic situation for both – the web developers and users. With more enforcement in place, can we expect an end to malware and malicious content on websites?
Photo: Gokhan Balci/Anadolu Agency/Getty Images
Read next: Google to Introduce a Play Button to the Chrome Toolbar to Regulate Media Files!
However, the search giant has decided to remove it for – hopefully something better when it comes to user’s protection.
During an XSS attack, the hacker injects its own code into websites either by entering it to a URL or by posting content to a legitimate website. When the innocent user looks at the code entered by the attacker, it carries forward a command in their browser that is able to perform several tasks from stealing the victim’s cookies to infecting their device with a malware.
In an ideal world, the website developers should prevent these types of attacks by enforcing measures that thoroughly scan user-submitted data. Unfortunately, many fail to do so which is why Google introduced the XSS Auditor that tries to detect vulnerabilities while the browser is analyzing HTML. The XSS Auditor utilizes a blocklist to identify any suspicious patterns that are similar to the codes injected by the attackers. This makes it easy for the engineers at Google to filter out nuisance causing XSS code instead of blocking them altogether.
However, the Google Chrome Engineers seems unsatisfied with the Auditor and claims that they were able to find bypasses for them, despite the built-in functionality – thus removing the feature is the best option.
Google security engineer, Eduardo Vela Nava, also issued a statement on Monday that the XSS auditor prevents some legit sites from working and is not as helpful as it seems. Nevertheless, the company is currently developing another tool by the name of Trusted Types that would also force web developers to sanitize codes before using them in their webpage.
Buggy websites have always been a problematic situation for both – the web developers and users. With more enforcement in place, can we expect an end to malware and malicious content on websites?
Photo: Gokhan Balci/Anadolu Agency/Getty Images
Read next: Google to Introduce a Play Button to the Chrome Toolbar to Regulate Media Files!