Avoid Cross Site Scripting popup in IE

Avoid Cross Site Scripting popup in IE

Microsoft IE has a security feature called, Cross Site Scripting (XSS) Filter, in which IE doesn't allow cross site script to run and help to prevent cross site attack. To avoid this popup there is a setting in IE which is enable by default. To disable this popup, follow the below steps - 

• Goto Tools-->Internet Option.
• Click on the Security Tab
• Click on Custom Level Button
• Scroll down till the end and look for "Enable XSS Filter" setting.
• Select "Disabled" and click on OK
• Restart your browser and you will not see any cross site script popup.

The above approach will not work if you have huge number of clients and asking all of them to follow the above steps will be tedious for them. There is a way to handle this from application front. 

IE browser read the "X-XSS-Protection" header, and if the value of this header is set to 0, IE doesn't show the cross site script popup.

To set this in java, you can set the header in response object as given below - 

response.setHeader("X-XSS-protection", 0);

You can set the same header in any language before sending response to client and browser will respect this header.