Intent to Deprecate and Remove: XSSAuditor

6,077 views
Skip to first unread message

Thomas Sepez

unread,
Jul 15, 2019, 12:50:16 PM7/15/19
to blink-dev
Contact emails

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

EricLaw-MSFT

unread,
Jul 15, 2019, 5:17:17 PM7/15/19
to blink-dev
Thanks for the writeup, Thomas. I found https://frederik-braun.com/xssauditor-bad.html and the related discussions compelling in favor of this removal.

On Monday, July 15, 2019 at 11:50:16 AM UTC-5, Thomas Sepez wrote:

Yoav Weiss

unread,
Jul 15, 2019, 7:02:10 PM7/15/19
to Thomas Sepez, blink-dev
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYU9wRP%2BRYAdi_Fykosbjm6C9KxhZN8-wJeSmQeWAs7ABysXQ%40mail.gmail.com.

Eric Lawrence

unread,
Jul 15, 2019, 7:09:54 PM7/15/19
to blink-dev, tse...@google.com
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mike West

unread,
Jul 16, 2019, 5:47:52 AM7/16/19
to Eric Lawrence, blink-dev, Thomas Sepez
LGTM1. I wish we could have made this work, but removing it now seems like the right thing to do, given the side-channels it creates.

-mike


On Tue, Jul 16, 2019 at 1:10 AM Eric Lawrence <elaw...@chromium.org> wrote:
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7bea7195-457c-4df6-a6de-1047838f8df3%40chromium.org.

Yoav Weiss

unread,
Jul 16, 2019, 5:54:12 AM7/16/19
to Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Jochen Eisinger

unread,
Jul 16, 2019, 6:15:47 AM7/16/19
to Yoav Weiss, Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Joe Medley

unread,
Aug 27, 2019, 12:10:17 PM8/27/19
to blink-dev
I'm not sure how I missed this before. Most deprecations and removals have a Chrome Status entry so that we can let web developers know something is going away. 

This doesn't have one.

Can someone please create one. I don't know how many developers this actually affects, but the TL;DR certainly suggests things we want to highlight.

Joe

bay...@gmail.com

unread,
Aug 27, 2019, 12:24:31 PM8/27/19
to blink-dev
Reply all
Reply to author
Forward
0 new messages