什么是 http-header “X-XSS-Protection"? [英] What is the http-header "X-XSS-Protection"?

问题描述

所以我现在一直在玩弄 HTTP 以在 telnet 中取乐(即只需输入 telnet google.com 80 并输入具有不同标头等的随机 GET 和 POST)，但我遇到了 google.com 在其标头中传输的一些我不知道的内容.

So I've been toying around with HTTP for fun in telnet now (i.e. just typing in telnet google.com 80 and putting in random GETs and POSTs with different headers and the like) but I've come across something that google.com transmits in it's headers that I don't know.

我一直在浏览 http://www.w3.org/Protocols/rfc2616/rfc2616.html 并没有找到谷歌似乎喷出的这个特定 http-header 的定义:

I've been looking through http://www.w3.org/Protocols/rfc2616/rfc2616.html and have found no definition for this particular http-header that google seems to be spouting out:

GET / HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 01 Feb 2012 03:42:24 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=6ddbc0a0342e7e63:FF=0:TM=1328067744:LM=1328067744:S=4d4farvCGl5Ww0C3; expires=Fri, 31-Jan-2014 03:42:24 GMT; path=/; domain=.google.com
Set-Cookie: NID=56=PgRwCKa8EltKnHS5clbFuhwyWsd3cPXiV1-iXzgyKsiy5RKXEKbg89gWWpjzYZjLPWTKrCWhOUhdInOlYU56LOb2W7XpC7uBnKAjMbxQSBw1UIprzw2BFK5dnaY7PRji; expires=Thu, 02-Aug-2012 03:42:24 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked

1000

有人知道X-XSS-Protection是什么吗?

推荐答案

X-XSS-Protection 是 Internet Explorer 8(和更新版本)能够理解的 HTTP 标头.此标头允许域打开和关闭 IE8 的XSS 过滤器"，从而防止某些类别的 XSS 攻击.IE8默认开启过滤器，但是服务器可以通过设置关闭过滤器

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the "XSS Filter" of IE8, which prevents some categories of XSS attacks. IE8 has the filter activated by default, but servers can switch if off by setting

   X-XSS-Protection: 0

另请参阅 http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

这篇关于什么是 http-header “X-XSS-Protection"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！