The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

Wordpress - "The XSS Auditor refused to execute a script in ........

PhilippePhilippe Member
in Help edited June 2016
Hi,

We have an issue with wordpress.
When we work in logged in and preview changes, with Safari on OSX, the following message appears in the code and the foxycart scripts do not get executed:
The XSS Auditor refused to execute a script in 'http://new.xxxxxxx.com/bug-store/?preview=true&preview_id=187&preview_nonce=4d553f0b20' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

A work around is to have another browser open, (Firefox, for example), accessing the same page BUT not logged in, refresh the page, and observe the outcome . Is there a better way to do this though, working in just one browser and using the preview mode ?

Comments
  • fc_adamfc_adam FoxyCart Team
    @Philippe,

    Would it be possible for you to set up a login for your WP admin that we could use to login and the steps to duplicate what you're seeing? We'd like to see it in action if we could.
  • fc_adamfc_adam FoxyCart Team
    @Philippe,

    I was able to replicate what you described on that new page you whispered - but then as soon as I refreshed the page, it worked just fine without any issues. I'm not 100% on what's happening here, but I believe it relates to how Wordpress are handling the preview functionality. If you refresh the preview page after it's loaded, or if you copy the URL and load it again in a different tab, it'll load just fine.

    Actually I believe the issue is because you have forms inside the page body in Wordpress - so it's present in both the request and the response for previewing the page which is detected as an XSS attack by the browser (which it does fit the criteria of). Refreshing the page fixes it as it's not starting off with the POST request from Wordpress.

    So for now, when you preview - you'll just need to refresh the page that loads and you should be fine to use it then.
  • Great - a refresh and it works! Thanks
Sign In or Register to comment.