SharePoint Script Editor Web Part causing ERR_BLOCKED_BY_XSS_AUDITOR

[Jussi Palo]

Hi,

In recent Chrome 57, it has become little annoying to work with Microsoft's SharePoint portal tool due to Chrome throwing ERR_BLOCKED_BY_XSS_AUDITOR error when working with the Script Editor web part. Issue occurs on at least SharePoint Online and on-premises SharePoint 2016, but probably also on 2013. Issue occurs regerdless if site is accessed via HTTP or HTTPS.

Steps to repro:

1. On SharePoint publishing page, add Script Editor web part to content area or web part zone
   
2. Add the following code to the web part (any JS will do the trick): 
   
   <script>
   console.log("asd")
   </script>
3. Click Insert at the bottom of the Script Editor content dialog
   
   --> Chrome throws you to page saying
   
   

   This page isn’t working

   Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).

   • Try visiting the site's homepage.
   ERR_BLOCKED_BY_XSS_AUDITOR

SharePoint does save the changes, so it at this point more of an annoyance than real show-stopper. Assuming there is no immediae fix available for this, so is there perhaps any workaround by, e.g., trusting specific sites, or disabling XSS auditor on specific sites?

[Jussi Palo]

More details:

1. Issue occurs also with  --disable-extensions
2. In case the "Insert" button of the Script Editor web part doesn't throw the warning, when you try to open the web part properties after clicking "Insert" will throw the warning.

[Jussi Palo]

More details:

- Issue also occurs when you try to open properties of any other web part on the page on which the Script Editor web part is placed on, so it is a show stopper from using Chrome, and need to revert to other browsers.

On Wednesday, March 22, 2017 at 12:52:28 PM UTC+2, Jussi Palo wrote:

[PhistucK]

Editors are known to be incompatible with the XSS auditor.

I believe you will need to configure SharePoint to send the following HTTP header in its editor responses -

X-XSS-Protection: 0

Sorry, I do not have any information regarding how to configure SharePoint to do that.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Alex Clark]

I have the same problem - it's very annoying.

I've tried disabling the 'Protect you and your device from dangerous sites' option as I read that somewhere else as a possible solution but no dice.

I'd like to rollback to 56 but can't do that.

Beta build also has the same problem :-(

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Jussi Palo]

Thank you, adding this to web server configuration is a suitable workaround for the time being for on-premises SharePoint farms.

Made more detailed blog article of this here.

- Jussi

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[PhistucK]

You write there that recent builds apparently fix this issue - I actually do not expect that to be fixed, have you tried recent builds and they worked fine?

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Alex Clark]

Actually it seems to not be fixed - sorry. Looks like Web Parts that are not script editors work fine.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Alex Clark]

Apparently this has been fixed in the latest Chrome Dev build FYI

[Alex Clark]

We've done some more digging - must've not read the original post with enough detail.

Yes it only happens when using Script Editors with code inside, if you have any script editor on a page with code in, you cannot edit any other Web Parts.

It's quite annoying - we use Office 365 for demos so its a big blocker for us.

On Friday, 31 March 2017 13:13:32 UTC+1, PhistucK wrote:

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[PhistucK]

Can you configure it like Jussi has?

If not, you need a service provider fix, file a bug with Microsoft.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Oscar Ortiz Pinzón]

http://blog.jussipalo.com/2017/03/sharepoint-workaround-for-script-editor.html?showComment=1492442343273#c3029033940569433223

is very fun be here, only you need is this:

    <httpProtocol>

      <customHeaders>

<add name="X-XSS-Protection" value="0" />

      </customHeaders>

    </httpProtocol>

[Robert Woods]

No, 

In Office 365 there is no control over the server. Its just like a google app... Why does not disabling this setting in advanced settings fix the issue?

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Alex Clark]

As Robert says, this cannot be configured in O365. I'm going to raise a support ticket and see what happens.

Cheers

[PhistucK]

Adding Mike.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Ilya]

I solved this, at least for now, by using the Requestly extension and adding the response header for all sites that match sharepoint.com

X-XSS-Protection: 0

Now web part editor works...

[Isra]

Have you found a solution regarding this issue yet? I was requested to embed a yammer code onto a sharepoint site but I get the exact error as in the original question.

[Jen P]

Ilya,

 Thanks for the suggestion! Would you be willing to share your rule or screen shot it? I'm trying to replicate it right now and am having no luck.

Thanks!
Jen

[Ralfh Barten]

The settings below in Requestly fixed it for me for SharePoint Online sites:

[Jen P]

Thank you, that really helped!

[starrychloe S.]

Yeah this sucks! I'm getting this error on a development site on my localhost for a Yii PHP app which I believe is trying to show the error page and stack trace!

[Eric Moran]

Any updates to this?

On Wednesday, March 22, 2017 at 5:52:28 AM UTC-5, Jussi Palo wrote:

[PhistucK]

What update are you looking for?

☆PhistucK

--

[Jen P]

The company I work for has opened a bug with Microsoft. No outcome yet. 

This seems viable for on-prem servers: http://blog.jussipalo.com/2017/03/sharepoint-workaround-for-script-editor.html?showComment=1492442343273#c3029033940569433223

[Alex Clark]

Appears to me that this has been fixed in the latest build of Chrome - 60

I was using the Requestly solution but now it works without :-)

[Eric Moran]

How does one get 60? I'm only seeing 58 in the beta currently.

[Alex Clark]

60 is the latest Official build - the beta is not at 60 yet

[PhistucK]

60 is the latest canary build.

58 is the stable release, 59 is the beta release, though it is a gradual release, which is why you still have 58 (or you have not restarted Chrome in a while).

See https://www.chromium.org/getting-involved/dev-channel for more details.

☆PhistucK

--

[Alex Clark]

Are you sure? See attached screenshot showing 60 as Official Build.

I last had beta installed with 59 before I freshly downloaded Chrome this morning after a colleague reported it working on build 60.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[PhistucK]

Every release of Chrome (canary, dev, beta or stable) is "Official build".

I am not sure why it does not say "dev" for you. It might happen if you install dev and then install stable, but because the dev version is higher than the stable version, you will only get a real stable version once it reaches a version higher than your local one.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Oscar Ortiz Pinzón]

this solutions is truely and very util!

http://blog.jussipalo.com/2017/03/sharepoint-workaround-for-script-editor.html?showComment=1492442343273#c3029033940569433223

is only open the web.config (previuos copy or backup) and 

<system.webServer>

    <httpProtocol>
      <customHeaders>
        <add name="X-XSS-Protection" value="0" />
      </customHeaders>

already!!!

El miércoles, 22 de marzo de 2017, 5:52:28 (UTC-5), Jussi Palo escribió:

[Jen P]

Unfortunately I just got Chrome 60, and the error still happens. 

[w brewer]

So for SP Online, this worked for me without the need of an extension:

https://www.bmyers.com/public/Bypassing-the-XSS-AUDITOR-error-in-Chrome.cfm 

[w brewer]

Yep, still an issue with Chrome 60. Getting an extension to resolve this seems ridiculous ... when will Msft start testing against browser updates properly and fix their bugs?

On Thursday, July 27, 2017 at 2:23:59 PM UTC-4, Jen P wrote:

[PhistucK]

Well, it is not entirely the fault of Microsoft. Google Chrome decided to be more strict in order to protect users as well as websites.

Chrome is a fast-moving browser and large web properties like Office 365 has a different release cycle. While Chrome does try to announce changes in advance, it is still not always enough.

There is nothing inherently wrong with the Microsoft code in this instance. It is Chrome that is being (over?) cautious (there is nothing wrong with that as well).

☆PhistucK

--

[PhistucK]

That would indeed work for you, but it would also put you at risk.

The extension has more granularity - you choose the websites on which this protection would not defend.

By using the command line flag, you disable the protection for all of the websites and make your browser vulnerable to cross site scripting attacks. Your data can be sent to attackers much more easily this way.

☆PhistucK

--