X-Xss-Protection "1;mode=block" disable script demo

Visit this page using this link (note: the page should not load, hit back after testing):

https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/?foo=%3Cscript%20src=%22https://example.com/does-not-exist.js%22%3E%3C/script%3E

 

The XSS filter (in Chrome at least) will detect the script in the GET param is present in the DOM and block the page from rendering due to "mode=block" in the header.

 

The offending script:

<script src="https://example.com/does-not-exist.js"></script>