up vote 2 down vote favorite

Possible Duplicate:
StackOverflow disables jQuery if you post a code snippet with a jQuery reference

Steps to reproduce:

  1. Answer a question on SO (bug does not apply here on Meta)
  2. Edit the answer and save.
  3. You will probably see such screen:
    enter image description here

After reloading the page everything is OK.

Don't think it's specific to my own answer, but here it is anyway.

Chrome 11 browser, didn't test with others yet.

link|improve this question
65% accept rate
1  
I am not sure SE team can fix this, since it is pretty depends on chrome feature. – YOU May 4 at 15:22
YOU're a star, as usual.... wouldn't have guessed such a thing in googol years!! – Shadow Wizard May 4 at 19:06
feedback

closed as exact duplicate by YOU, Jeff Atwood May 6 at 5:11

This question covers exactly the same ground as earlier questions on this topic; its answers may be merged with another identical question.

1 Answer

up vote 4 down vote accepted

Unfortunately, this is a "feature" in Chrome, called "Reflective XSS Protection". It seems this has been in Chrome since version 4:

In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS, reflective XSS. The XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page. If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script.

We have only recently started receiving these reports; however, the "jQuery isn't working" warning isn't very old yet either, so it's possible that people previously just hadn't noticed that jQuery was blocked for the duration of one page.

Why Chrome wants to disallow people from XSSing themselves (this happens as a reaction to a same-origin POST request -- and it's data the browser itself submitted), I don't know -- in my book, this behaviour doesn't make any sense.

Sad as it is, there's not much we can do about it – Fortunately, it's pretty rare that a post submission contains JavaScript code that's identical to some code in the resulting page, and the workaround is easy (just reload the page).

link|improve this answer
I wonder if this could be a WebKit issue. One thing is sure: similar things are known to happen in Safari too (like see December 2010 comments here). However, I've not yet ran into Safari blocking the jQuery libraries themselves. – Arjan May 4 at 18:41
Thanks, glad to know it's not "global" bug. :) – Shadow Wizard May 4 at 19:07
1  
When I escape a "." to "%2e" in jquery url like ... src="http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min%2ejs"..., chrome does not reject the script, still load jquery yet. What do you think, with that (hack)? – YOU May 4 at 19:08
1  
@YOU: Proves one more time how useless this "protection" is :) But this is really too rare and tiny of an issue to hack around it. – balpha May 4 at 19:25
feedback

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged