Google to remove Chrome's built-in XSS protection (XSS Auditor)

XSS Auditor became too inefficient at blocking XSS attacks, and a chore to maintain.
Written by Catalin Cimpanu, Contributor

Google engineers plan to remove a Chrome security feature that has not been living up to par with the protections with was supposed to provide for years.

Named XSS Auditor, the feature was added to Chrome in 2010, with the release of Google Chrome v4.

As the name implies, XSS Auditor scans a website's source code for patterns that look like a cross-site scripting (XSS) attack that may try to run malicious code in the user's browser.

If a known XSS pattern is found, Chrome may remove the malicious code, or may block the website from loading altogether, showing an error like the one below.

Chrome XSS Auditor error

For years, XSS Auditor has been a unique feature on the browser landscape, and has helped Chrome stand apart from other browsers, being the only one which featured built-in XSS protection.

Since its launch, the feature has been replicated in other browsers with the help of add-ons, with the most famous being the NoScript extension, which has featured a XSS protection mechanism for years now.

XSS Auditor is now full of holes

But this Monday, July 15, Google engineers announced plans to deprecate and remove XSS Auditor from Chrome.

Engineers cited several reasons for removing the feature. The first one mentioned was the numerous XSS Auditor bypasses that have been discovered in the past couple of years.

While after its launch XSS Auditor was a reputable feature, it's now a punchline, with bug hunters joking that you're not really a security researchers until you find an XSS Auditor bypass. In just two minutes, ZDNet found ten XSS Auditor bypasses with nothing more than a Google search [1, 2, 3, 4, 5, 6, 7, 8, 9, 10], and plenty more were left waiting.

Furthermore, patching all the XSS Auditor bypasses has put holes in Chrome itself. In a Google Groups discussion announcing XSS Auditor's deprecation, Chrome engineer Thomas Sepez said that XSS Auditor has introduced many "cross-site info leaks," and that "fixing all the info leaks has proven difficult."

And there's also the problem with false positives; cases where XSS Auditor has blocked access to legitimate sites based on erronous detections.

This is the reason why with the release of Chrome 74, Google switched the default XSS Auditor mode from "block" to "filter," meaning that since April, XSS Auditor has not been blocking access to websites containing XSS code, but rather removing the code, in an attempt to cut down on the number of false positives reports its engineers had been getting.

To be replaced by Trusted Types API

Work on deprecating the XSS Auditor component started last year, in October. Google has not specified in what Chrome release XSS Auditor will be disabled, and eventually removed for good from the Chrome codebase.

The good news is that Google has already started working on a replacement. In February, Google announced that its engineers had developed the Trusted Types browser API, a new defense against DOM-based XSS attacks, which they claimed would "obliterate DOM XSS."

Unlike XSS Auditor, which was a Chrome component, the new Trusted Types API is a web standard, and could, in theory, be included with other browsers as well.

According to an Imperva report published in January, XSS vulnerabilities were the most prevalent form of web-based attacks in 2014, 2015, 2016, and 2017. They were the second most common form of web-based attacks last year, only missing on the top position because of an uncommon spike in SQL injection attacks.

XSS vulnerabilities are often downplayed by companies and security experts because they don't always lead to direct damage to users accessing a site. However, they are often the first stepping stone in complex exploit routines, facilitating more damaging hacks. Eliminating XSS attacks would in many cases keep users safe from more complex attacks that wouldn't be possible without an initial foothold provided by XSS.

The two other browsers who featured an XSS filter besides Chrome were Internet Explorer and Edge. Microsoft removed the XSS filter from Edge last year. The OS and browser maker cited the presence of modern standards like Content Security Policy that can be more efficient at blocking XSS attacks at the website level.

Article updated with information on Microsoft removing the XSS filter from Edge.

All the Chromium-based browsers

More browser coverage:

Editorial standards