UnXSS
Evade Chrome's cross-site scripting (XSS) protection by modifying or deleting websites' security headers on the fly.
For example:
- If you want to load a website in an iframe, and that website uses
X-Frame-Options: SAMEORIGIN
, Chrome will refuse to show the website. Use the "Delete X-Frame-Options header" option to have Chrome ignore that restriction. - If you want to call a foreign AJAX endpoint from a website that has
Content-Security-Policy: ...
set to disallow wildcard script-src, use the "Delete Content-Security-Policy header" to allow running any script on that page. - If you want to call out to an API endpoint that doesn't specify itself as
CORS
-friendly, enable the "Add Access-Control-Allow-Origin: * header" and "Add Access-Control-Allow-Methods: * header" options.
Each restriction can be disabled or enabled individually; labeled checkboxes on the configuration page clearly indicate which restrictions are disabled.
The default is to leave all restrictions in place. When you want to allow one or more XSS vectors, click the dark "XSS
Installation
UnXSS can be found in the Chrome web store.
Notes
Chrome's developer tools' "Network" inspector shows the original, pre-interception, headers.
Development
Debugging the default_popup
page, options.html
:
chrome-extension://the_extensions_chrome_id/options.html
Or right-click on the icon in the toolbar and click "Inspect Popup".
Publishing
Icon. The icon should be 128x128 and have transparent 16px margins on each side. Screenshots. Can use up to five 1280x800 or 640x400 images. Tiles. One each of 440x280, 920x680, 1400x560 images.
License
Copyright ©2014 Christopher Brown. MIT Licensed.