script injection allowed by default


  1. Posts : 322
    Pro 20H2
       #1

    script injection allowed by default


    script injection allowed by default-cross-sitescriptinjection.jpg
      My Computer


  2. Posts : 1,234
    Windows 10
       #2

    Because cross site or XSS is to do with Javascript where in the case of blocking these things can mean broken webpages or webpages that don't display properly. You need to know how to navigate around if you were to enable XSS prevention like this and therefore it does not make sense to have these enabled by default as the generic computer user would not know what to do.

    Basically the web browser cannot determine if JS is legit or not well it cannot do so very well in some contexts and its easy for people to do bad things with JS, This is what XSS blocking is about.

    These policy only apply to Internet Explorer, and maybe Edge not sure on Edge though. So if you don't use these then its not an issue.

    - - - Updated - - -

    X-XSS-Protection - HTTP | MDN
      My Computer


  3. Posts : 17,012
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #3

    Furthermore, and contrary to what you wrote, we do not "see ... that by default the mechanism is disabled".
    All we see is that Group policy has not been used to alter the mechanism. That is all that "Not configured" means.


    All the best,
    Denis
      My Computer


  4. Posts : 1,234
    Windows 10
       #4

    It is also an older system that is vulnerable. Content-Security-Policy is the newer better version.
      My Computer


  5. Posts : 322
    Pro 20H2
    Thread Starter
       #5

    Try3 said:
    All we see is that Group policy has not been used to alter the mechanism. That is all that "Not configured" means.
    I did not write that the policy is disabled.
    When policies that "Turn on" something are "Not configured", the somethings are not turned on.
      My Computer


  6. Posts : 17,012
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #6

    thename said:
    When policies that "Turn on" something are "Not configured", the somethings are not turned on.
    Incorrect.
    You can test it for yourself.
    - Go to the Registry Key for something for which you have not set up any policy then change it in RegEdit.
    - Return to the Group policy editor and it will still say Not configured.


    Denis
      My Computer


  7. Posts : 322
    Pro 20H2
    Thread Starter
       #7

    I believe it. (even had thought of the possibility that it might be that way)
    What about vice-versa, an enabled policy that contradicts a registry setting -- does the setting change accordingly?
      My Computer


  8. Posts : 17,012
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #8

    If you set the policy up after having fiddled with the Registry then the policy settings will be written over whatever you had done before.

    Denis
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:08.
Find Us




Windows 10 Forums