Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

XSS Issue in IE Setting: Any suggestion from F5 LTM side

I was seeking assistance with cross scripting setting (XSS); in order to overcome this setting for the users going through the Direct URL, they would need to add *.mycompany.com to trusted sites and have the XSS disabled only for trusted sites, instead of changing at Internet or local intranet sites. Is this something you can authorize the users to do at Coastal or is XSS required to be enabled on all sites?

 

Issue: User is unable to get Reports to load if XSS is enabled and the only way to get the Reports to load is to disable XSS for all internet sites. He has tried added https://*.mycompany.com to trusted sites and disable XSS for just the trusted sites but that does not resolve the issue. User is using IE8.

 

Can we do any setting from LTM too.Users will browse Virtual server internally as well as externally and we are using SSL Client profile for now.

 

Thanks, Parveez

 

application delivery
devops
iRules

4 Replies

Sort By
  • Pconlan_71037's avatar
    Pconlan_71037
    Icon for Altocumulus rankAltocumulus
    Sep 23, 2013
    You can use an iRule attached to the virtual server to disable XSS: "when HTTP_RESPONSE { HTTP::header insert X-XSS-Protection 0 }" This tells IE to skip the XSS checks it would normally do.
  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2013

    So, I am going to add one more irule stating to exempt XSS settings, right ?

     

    HTTP_RESPONSE { HTTP::header insert X-XSS-Protection 0 }"

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2013

    I am getting error into the syntax, kindly assist into this.

     

    HTTP_RESPONSE { HTTP::header insert X-XSS-Protection 0 }"