Chromium's XSS auditor refused to execute a script
If you'd like to tell Chrome to disable its XSS protection, you can send an X-XSS-Protection
header with a value of 0
. Since you appear to be using PHP, you'd add this somewhere where it'll always be executed before any content has been output:
header("X-XSS-Protection: 0");
If you are getting blocked by XSS Auditor, you should check whether your code has a XSS vulnerability or not before simply disabling it.
If you're getting blocked by XSS Auditor, there's a decent chance you have a XSS vulnerability and just didn't realize it. If you simply disable the XSS Auditor, you will remain vulnerable: it's treating the symptoms, rather than the underlying illness (the root cause).
I encountered exactly the same issue when I was studying XSS recently. And below screenshot shows a PHP way to bypass Chrome XSS Auditor.
Just add -- header("X-XSS-Protection: 0");