Google Chrome is ditching its XSS detection tool

Google is removing a nine-year-old feature in its Chrome web browser, which spotted a common online attack. Don’t worry, though – another, hopefully better, protection measure is on the way.

Introduced in 2010, XSS Auditor is a built-in Chrome function designed to detect cross-site scripting (XSS) vulnerabilities. In an XSS attack, a malicious actor injects their own code onto a legitimate website. They might do that by adding malicious code to a legitimate URL, or by posting content to a site that stores and displays what they’ve posted (persistent XSS).

When someone looks at the code injected by the attacker it executes a command in their browser, which might do anything from stealing the victim’s cookies to trying to infect them with a virus.

Websites should prevent this kind attack by sanitising user-submitted data, but many don’t.

XSS Auditor tries to detect XSS vulnerabilities while the browser is parsing HTML. It uses a blocklist to identify suspicious characters or HTML tags in request parameters, matching them with content to spot attackers injecting code into a page.

The beef that some developers have is that it doesn’t catch all XSS vulnerabilities in a site. XSS code that the feature doesn’t spot, called bypasses, are common online.

Google’s engineers had already adapted XSS Auditor to filter out troublesome XSS code rather than blocking access altogether, citing “undesirable consequences”, but this clearly wasn’t enough, and now they’re killing it off altogether.

When first discussing the plan to retire XSS Auditor, Google senior security engineer Eduardo Vela Nava said:

We haven’t found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped. In the past 3 months we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.

Although there was some pushback, the developers seem to have reached enough consensus that they’re going ahead with the plan. In announcing the deprecation on Monday, Google security engineer Thomas Sepez said:

Bypasses abound.

It prevents some legit sites from working.

Once detected, there’s nothing good to do.

It introduces cross-site info leaks.

 Fixing all the info leaks has proven difficult.

Without XSS Auditor, how will web developers check to see if their sites are buggy? Another feature is in development to help: an application programming interface (API) called Trusted Types. Trusted types treats user input as untrustworthy by default and forces developers to take steps to sanitise it before it can be included in a web page.