If a known XSS pattern is found, Chrome may remove the malicious code, or may block the website from loading altogether, showing an error like the one below.
For years, XSS Auditor has been a unique feature on the browser landscape, and has helped Chrome stand apart from other browsers, being the only one which featured built-in XSS protection.
Since its launch, the feature has been replicated in other browsers with the help of add-ons, with the most famous being the NoScript extension, which has featured a XSS protection mechanism for years now.
XSS Auditor is now full of holes
But this Monday, July 15, Google engineers announced plans to deprecate and remove XSS Auditor from Chrome.
Engineers cited several reasons for removing the feature. The first one mentioned was the numerous XSS Auditor bypasses that have been discovered in the past couple of years.
While after its launch XSS Auditor was a reputable feature, it's now a punchline, with bug hunters joking that you're not really a security researchers until you find an XSS Auditor bypass. In just two minutes, ZDNet found ten XSS Auditor bypasses with nothing more than a Google search [1, 2, 3, 4, 5, 6, 7, 8, 9, 10], and plenty more were left waiting.
Furthermore, patching all the XSS Auditor bypasses has put holes in Chrome itself. In a Google Groups discussion announcing XSS Auditor's deprecation, Chrome engineer Thomas Sepez said that XSS Auditor has introduced many "cross-site info leaks," and that "fixing all the info leaks has proven difficult."
And there's also the problem with false positives; cases where XSS Auditor has blocked access to legitimate sites based on erronous detections.
Work on deprecating the XSS Auditor component started last year, in October. Google has not specified in what Chrome release XSS Auditor will be disabled, and eventually removed for good from the Chrome codebase.
The good news is that Google has already started working on a replacement. In February, Google announced that its engineers had developed the Trusted Types browser API, a new defense against DOM-based XSS attacks, which they claimed would "obliterate DOM XSS."
Unlike XSS Auditor, which was a Chrome component, the new Trusted Types API is a web standard, and could, in theory, be included with other browsers as well.
According to an Imperva report published in January, XSS vulnerabilities were the most prevalent form of web-based attacks in 2014, 2015, 2016, and 2017. They were the second most common form of web-based attacks last year, only missing on the top position because of an uncommon spike in SQL injection attacks.
XSS vulnerabilities are often downplayed by companies and security experts because they don't always lead to direct damage to users accessing a site. However, they are often the first stepping stone in complex exploit routines, facilitating more damaging hacks. Eliminating XSS attacks would in many cases keep users safe from more complex attacks that wouldn't be possible without an initial foothold provided by XSS.