Recently I upgraded Internet Explorer on our Citrix farm from IE 7 to IE 8, everything went fine except for a very internal site used for entering customer orders. When users tried to use this site they received the message “Internet Explorer has modified this page to help prevent cross-site scripting”.
Internet Explorer 8 has a new security feature call “XSS Filter”, more details on what the “XSS filter” does can be found here;
By default sites that are a member of the “Local Intranet zone” will have the XSS Filter turned off, so if appropriate you could add the effected site to the “Local Intranet zone”
In my case the site that was having issues was with in the “Trusted Sites” zone so I felt it was ok to disable the “XSS Filter” for this zone.
You can disable this security feature using a GPO.
- Edit or create a new GPO that targets the effected users
- Drill-down to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Replacing “Trusted Sites Zone” with whatever zone you are interested in, if you are unsure what zone you site is a member of open the site and look in the bottom right corner of IE
- Enable the policy “Turn on Cross-Site Scripting (XSS) Filer” and set the Option to disabled
After doing a gpupdate /force on a client and restarting IE you can verify the setting was applied under Internet Options => Security => Select Zone =>Custom Level
Then scroll to the scripting section near the bottom.