X-Xss-Protection "1;mode=block" disable script demo

Visit this page using this link (note: the page should not load, hit back after testing):



The XSS filter (in Chrome at least) will detect the script in the GET param is present in the DOM and block the page from rendering due to "mode=block" in the header.


The offending script:

<script src="https://example.com/does-not-exist.js"></script>