什么触发器“Internet Explorer已修改此页面,以帮助防止跨网站脚本。 [英] What triggers "Internet Explorer has modified this page to help prevent cross-site scripting."?
问题描述
我尝试在Internet Explorer中实施缺少CORS功能的解决方法。对于GET请求,我使用JSONP,这里没有问题。对于小的POST / DELETE / PUT请求,我也使用JSONP通过GET隧道的请求,但这不适用于较大的请求(因为GET URL的长度有限)。所以对于大数据,我尝试通过iframe实现一个表单POST。由于同源策略,我无法从此POST读取响应,因此在发布数据后通过JSONP GET请求获取响应。工作很好,但有时我在IE 9中得到一个奇怪的警告:
Internet Explorer已修改此页面,以帮助防止跨站点脚本。首先我想知道什么是地狱IE在做,因为即使当这个警告出现一切仍然正常工作。然后我发现,IE替换隐藏的iframe的内容后,用一个#字符的POST答案(我不能读取和需要)。
所以我的解决方法仍然工作,即使当这个警告出现,但我想知道究竟触发这个警告,所以也许我可以修改我的CORS解决方法摆脱这个警告。任何提示?
解决方案您可以配置 X-XSS-保护
标题。这将告诉IE在您的网站上禁用XSS保护。
I'm trying to implement a workaround for missing CORS functionality in Internet Explorer. For GET requests I use JSONP, no problem here. For small POST/DELETE/PUT requests I also use JSONP by tunneling the requests through GET but this does not work for larger requests (Because the length of the GET URL is limited). So for large data I try to implement a form POST via an iframe. I can't read the response from this POST because of the same-origin policy so I fetch the response via a JSONP GET request after posting the data. Works great but sometimes I get a strange warning in IE 9:
Internet Explorer has modified this page to help prevent cross-site scripting.
First I wondered what the hell IE is doing there because even when this warning appears everything still works correctly. Then I found out that IE replaces the content of the hidden iframe AFTER the POST answer (which I can't read and need anyway) with a "#" character.
So my workaround still works even when this warning appears but I would like to know what exactly triggers this warning so maybe I can modify my CORS workaround to get rid of this warning. Any hints?
解决方案 You can configure the X-XSS-Protection
header on your server. This will tell IE to disable XSS protection on your site.
这篇关于什么触发器“Internet Explorer已修改此页面,以帮助防止跨网站脚本。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!