Google to Remove Chrome’s Built-In XSS Protection (XSS Auditor).

There are new rules and bans for Chrome extensions that violate the law.


You can watch it now

Google engineers are planning to get rid of a Chrome security function that is not up to the standards it was meant to offer for many years.

The feature, XSS Auditor was named by Google Chrome v4.

XSS Auditor inspects the source code of a website for any patterns that could be mistakenly interpreted as a cross site scripting (XSS), attack. This may allow the browser to execute malicious code.

Chrome can remove malicious code if it finds a known XSS-related pattern. It may also block the site from loading completely, such as the error shown below.




XSS Auditor, Chrome’s only browser with built-in XSS protection, has been a distinctive feature for years.

The feature was launched in other browsers using add-ons. Most famous is the NoScript extension which features an XSS protection mechanism that has existed for many years.

XSS Auditor has many holes

Google engineers revealed plans to remove XSS Auditor and deprecate it from Chrome on Monday, July 15.

Engineers gave several reasons why they removed the feature. One reason engineers mentioned was that there have been numerous XSS Auditor bypasses in recent years.

XSS Auditor, although a well-known feature at the time, is now a joke. Bug hunters are joking about how you don’t really qualify as security researchers until they find an XSS Auditor bypass. ZDNet discovered ten XSS Auditor bypasses in just 2 minutes using a Google Search [1, 2, 3, 5, 6, 7, 8, 9, 10, and many more].

Additionally, Chrome has been affected by the XSS Auditor loopholes. A Google Groups discussion announced the deprecation of XSS Auditor. Thomas Sepez, a Chrome engineer said that XSS Auditor had introduced “cross-site information leaks” and that it was difficult to fix them all.

False positives are another problem. In some cases, XSS Auditor may block access to legitimate websites based upon erroneous detections.

With Chrome 74‘s release, Google changed the default XSS Auditor Mode to “filter.” This means that XSS Auditor, which was previously blocking access to sites containing XSS codes, has been removing those files in an effort to reduce the amount of false positives reports it engineers were receiving.

Trusted Types API will replace it

The deprecation of the XSS Auditor component began last October. Google does not specify in which Chrome release XSS Auditor is to be disabled. It will eventually be removed from the Chrome codebase.

Google is working to replace it. Google’s engineers announced in February that they had created the Trusted Types API browser, a defense against DOM-based XSS attack. They claimed it would ” obliterate DOM XSS.”

Unlike XSS Auditor (a Chrome component), the Trusted Types API, which is a web-standard, could be integrated with other browsers.

An Imperva report released in January shows that XSS vulnerabilities was the most common form of web-based attack in 2014., 2015., 2016., and 2017. These were second-most common web-based attack last year. Only an unusual spike in SQL injection attacks made them fall to the bottom.

Security experts and companies often minimize XSS vulnerabilities because they aren’t necessarily causing direct harm to site users. They are often used as a stepping stone to more dangerous hacks and complex exploit procedures. In many cases, XSS would be eliminated to protect users from complex attacks.

Internet Explorer was the only browser that had an XSS filter, while Edge did. Microsoft has removed the XSS filter in Edge. The browser manufacturer and the OS maker cited Content Security Policy, which can block XSS attacks at website level more efficiently.

This article has been updated to include information about Microsoft removing Edge’s XSS filter.

Get more browser coverage