Problem:
Recently I upgraded Internet Explorer on our Citrix farm from IE 7 to IE 8, everything went fine except for a very internal site used for entering customer orders. When users tried to use this site they received the message “Internet Explorer has modified this page to help prevent cross-site scripting”.
Cause:
Internet Explorer 8 has a new security feature call “XSS Filter”, more details on what the “XSS filter” does can be found here;
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Workaround 1:
By default sites that are a member of the “Local Intranet zone” will have the XSS Filter turned off, so if appropriate you could add the effected site to the “Local Intranet zone”
Workaround 2:
In my case the site that was having issues was with in the “Trusted Sites” zone so I felt it was ok to disable the “XSS Filter” for this zone.
You can disable this security feature using a GPO.
- Edit or create a new GPO that targets the effected users
- Drill-down to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Replacing “Trusted Sites Zone” with whatever zone you are interested in, if you are unsure what zone you site is a member of open the site and look in the bottom right corner of IE
- Enable the policy “Turn on Cross-Site Scripting (XSS) Filer” and set the Option to disabled
After doing a gpupdate /force on a client and restarting IE you can verify the setting was applied under Internet Options => Security => Select Zone =>Custom Level
Then scroll to the scripting section near the bottom.