什么触发器“Internet Explorer已修改此页面，以帮助防止跨网站脚本。 [英] What triggers "Internet Explorer has modified this page to help prevent cross-site scripting."?

问题描述

我尝试在Internet Explorer中实施缺少CORS功能的解决方法。对于GET请求，我使用JSONP，这里没有问题。对于小的POST / DELETE / PUT请求，我也使用JSONP通过GET隧道的请求，但这不适用于较大的请求（因为GET URL的长度有限）。所以对于大数据，我尝试通过iframe实现一个表单POST。由于同源策略，我无法从此POST读取响应，因此在发布数据后通过JSONP GET请求获取响应。工作很好，但有时我在IE 9中得到一个奇怪的警告：

  Internet Explorer已修改此页面，以帮助防止跨站点脚本。首先我想知道什么是地狱IE在做，因为即使当这个警告出现一切仍然正常工作。然后我发现，IE替换隐藏的iframe的内容后，用一个＃字符的POST答案（我不能读取和需要）。
 
 
 
所以我的解决方法仍然工作，即使当这个警告出现，但我想知道究竟触发这个警告，所以也许我可以修改我的CORS解决方法摆脱这个警告。任何提示？
解决方案
您可以配置 X-XSS-保护标题。这将告诉IE在您的网站上禁用XSS保护。
 
I'm trying to implement a workaround for missing CORS functionality in Internet Explorer. For GET requests I use JSONP, no problem here. For small POST/DELETE/PUT requests I also use JSONP by tunneling the requests through GET but this does not work for larger requests (Because the length of the GET URL is limited). So for large data I try to implement a form POST via an iframe. I can't read the response from this POST because of the same-origin policy so I fetch the response via a JSONP GET request after posting the data. Works great but sometimes I get a strange warning in IE 9:
Internet Explorer has modified this page to help prevent cross-site scripting.
First I wondered what the hell IE is doing there because even when this warning appears everything still works correctly. Then I found out that IE replaces the content of the hidden iframe AFTER the POST answer (which I can't read and need anyway) with a "#" character.

So my workaround still works even when this warning appears but I would like to know what exactly triggers this warning so maybe I can modify my CORS workaround to get rid of this warning. Any hints?
解决方案
You can configure the X-XSS-Protection header on your server. This will tell IE to disable XSS protection on your site.

                        
这篇关于什么触发器“Internet Explorer已修改此页面，以帮助防止跨网站脚本。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！