ERR_BLOCKED_BY_XSS_AUDITOR 使用 selenium 下载文件时 [英] ERR_BLOCKED_BY_XSS_AUDITOR when downloading file using selenium
问题描述
我试图通过模拟点击下载按钮来使用 selenium 下载文件,但 Chrome 报告 ERR_BLOCKED_BY_XSS_AUDITOR.如果我使用 "--disable-xss-auditor" 参数绕过,页面将被重新加载并且不会下载任何内容.令我感到奇怪的是,当我在甚至由 selenium 控制的 Chrome 会话中实际用鼠标下载文件时,文件下载得很好.
I'm trying to download a file using selenium by simulating click on a download button but Chrome reports ERR_BLOCKED_BY_XSS_AUDITOR. If I use the "--disable-xss-auditor" argument to bypass, the page would be reloaded and nothing get downloaded. What seems strange to me is that when I actually download the file with my mouse in a Chrome session that's even controlled by selenium, the file downloads well.
请帮我理解xss audit是做什么的?为什么我不能用 selenium 下载文件?
Please help me understand what xss auditor does? Why can't I download the file with selenium?
顺便说一句,如果重要的话,我正在使用 python.
BTW, I'm using python if it matters.
谢谢
推荐答案
X-XSS-Protection
HTTP X-XSS-Protection 响应标头是 Internet Explorer、Chrome 和 Safari 的一项功能,可在检测到反射的跨站点脚本 (XSS) 攻击.尽管当网站实施强大的 Content-Security-Policy 禁止使用内联 JavaScript ('unsafe-inline'),它们仍然可以为用户提供保护尚不支持 CSP 的旧版网络浏览器.
X-XSS-Protection
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.
Header type Response header
----------- ---------------
Forbidden header name no
语法
X-XSS-Protection: 0:禁用 XSS 过滤.X-XSS-Protection: 1:启用 XSS 过滤(通常是浏览器的默认设置).如果检测到跨站点脚本攻击,浏览器将清理页面(删除不安全的部分).X-XSS-Protection: 1: mode=block 启用 XSS 过滤.如果检测到攻击,浏览器将阻止呈现页面,而不是清理页面.X-XSS-Protection: 1: report=(仅限 Chromium) 启用 XSS 过滤.如果检测到跨站点脚本攻击,浏览器将清理页面并报告违规行为.这使用 CSP report-uri 指令的功能来发送报告.X-XSS-Protection: 0: Disables XSS filtering.X-XSS-Protection: 1: Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).X-XSS-Protection: 1: mode=block Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.X-XSS-Protection: 1: report= (Chromium only) Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.- 将默认行为更改为
X-XSS-Protection: 1;mode=block,它通过在检测到 XSS 时导航到唯一来源来阻止页面加载,而不是过滤掉特定的脚本. - 弃用过滤器模式,打算在未来某个日期将其完全移除.
- Change the default behavior to
X-XSS-Protection: 1; mode=block, which blocks the page load by navigating to a unique origin when XSS is detected, rather than filtering out specific scripts. - Deprecate the filter mode, with the intent to remove it completely at some future date.
Java:
Syntax
根据 发货意向:对 XSS 审核员的更改 Chromium 团队进行了两项更改:
As per Intent to Ship: Changes to the XSS Auditor Chromium team made two changes:
XSS Auditor 默认阻止:Chrome 的 XSS Auditor 应该默认阻止页面,而不是过滤掉可疑的反射型 XSS.此外,我们应该删除过滤选项,因为过去破坏页面脚本的特定部分本身就是一个 XSS 向量.
XSS Auditor blocks by default: Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.
根据 XSS 审核员:默认阻止,删除过滤 讨论了这个问题并尝试了修复.在 与 ERR_BLOCKED_BY_XSS_AUDITOR 的误报 中发生了更多讨论,最后在ERR_BLOCKED_BY_XSS_AUDITOR 发布到论坛时在真实网站上发布 Chromium 团队决定 状态:WontFix
As per XSS Auditor: Block by default, remove filtering this issue was discussed and a fix was attempted. Some more discussion happened in False positives with ERR_BLOCKED_BY_XSS_AUDITOR and finally in ERR_BLOCKED_BY_XSS_AUDITOR on bona fide site when posting to a forum Chromium team decided Status: WontFix
您需要引入 WebDriverWait 以使所需的元素可点击.以下是 WebDriverWait 实现的一些示例:
You need to induce WebDriverWait for the desired element to be clickable. Here are some examples of the WebDriverWait implementation:
new WebDriverWait(driver, 20).until(ExpectedConditions.elementToBeClickable(By.linkText("text_within_the _link"))).click();
Python:
WebDriverWait(driver, 20).until(EC.element_to_be_clickable((By.LINK_TEXT, "text_within_the _link"))).click()
C#:
new WebDriverWait(driver, TimeSpan.FromSeconds(10)).Until(ExpectedConditions.ElementToBeClickable(By.LinkText("text_within_the _link"))).Click();
这篇关于ERR_BLOCKED_BY_XSS_AUDITOR 使用 selenium 下载文件时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
