Microsoft Edge’s XSS Filter Appears to Be Broken

A security feature that’s included with the Microsoft Edge browser appears to have stopped working, according to Gareth Heyes, a security researcher with cyber-security firm PortSwigger.

The security feature in question is named “XSS Filter” and is a Microsoft-developed security mechanism that can prevent basic cross-site scripting (XSS) attacks inside browsers.

Microsoft developed and launched XSS Filter in 2008 when it was first included with Internet Explorer 8, but the feature has since expanded to Edge, and adopted by other browsers such as Google Chrome and Safari.

How XSS Filter works

This security feature is also known as “X-XSS-Protection.” It is known by this name because website owners can configure an HTTP header named “X-XSS-Protection” for the server that delivers their sites.

When browsers load a page from these sites and detect this header, they will run the XSS Filter protections based on the value of that header, which can be one of three values:

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block

When a browser sees a header of “X-XSS-Protection: 0,” it will disable the XSS Filter protection.

When a browser sees a header of “X-XSS-Protection: 1,” it will sanitize the page’s code and remove patterns that are specific to XSS attacks.

When a browser sees “X-XSS-Protection: 1; mode=block,” it will block rendering (display) of any content on the page if it detects patterns specific to XSS attacks.

For the past three years, since Edge has been released, Edge has used the second value as a default setting, meaning Edge would try to sanitize the code of any page it loads, regardless if it had an X-XSS-Protection header configured or not.

Edge’s XSS Filter is not off by default

But this week, Heyes discovered that Edge was not behaving as it was supposed to in regards to respecting XSS Filter settings.

“The XSS Filter is supposed to be on by default,” Heyes said. “However, it is now off by default, and even if you try to turn it on with X-XSS-Protection: 1 it remains off.”

The reasons why XSS Filter is off by default for all sites is unknown, as there was not any official announcement from Microsoft or the Edge team.

But this doesn’t appear to be an intentional reconfiguration from Microsoft’s part. Instead, this appears to be a bug.

This is because the feature works as intended in Internet Explorer, Microsoft’s other browser, where it is still on by default. If Microsoft had wanted to remove this feature, it would have done so from both of its browsers.

Furthermore, XSS Filter can still be enabled in Edge, but when websites specifically use its third —highest security level setting— which most website owners avoid using since it blocks Edge from displaying sites altogether.

“The only way to actually turn it on now is when you have the header X-XSS-Protection: 1; mode=block,” Heyes noted.

A Microsoft spokesperson has not been on hand to respond to a request for comment from Bleeping Computer. Microsoft said “We have nothing to share” to PortSwigger when the company reached out for comment earlier this week.

The case for removing XSS Filter

But PortSwigger researchers have also built a case that removing XSS Filter might also be a good idea, if Microsoft has truly gone that way, and why many security researchers won’t be crying too much about it.

For starters, many researchers have bypassed this feature or abused it to carry out other attacks on the underlying browser [1, 2, 3].

Second, Mozilla has never expressed support for the feature and has hobbled the feature’s chances of becoming a cross-browser-supported anti-XSS mechanism.

Third, according to the MDN portal, the official documentation site regarding web features, the XSS Filter feature is not as crucial as it once was:
Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’), they can still provide protections for users of older web browsers that don’t yet support CSP.

Fourth, the feature is often misunderstood and misconfigured by website owners, hence it’s rarely used to its full potential.

So, even if it’s a bug or that Microsoft has disabled it on purpose, it appears that the feature doesn’t have that many fans, to begin with.