The first thing to note is that it is a webkit module, rather than chrome. Therefore, browsers such as Safari and the 360 secure browser speed mode all have the XSS filter function.
Filtering Method:
Use Fuzzy match to input parameters (GET query | POST form data | Location fragment) and the dom tree. If the matching data contains cross-site scripts, It is not output to the context DOM tree. in addition, matching rules have nothing to do with CSPs. Most of them are for reference. The update speed of CSP-Like sort-related things is too slow to keep up with the pace of real-world problems.
Close mode:
Because it may affect the business, the browser provides an HTTP response header to disable it.
X-XSS-Protection: 0
Bypass Method:
I have some knowledge about the bypass because of this reason. Currently, a bypass 0day that I have published can be used continuously.
<Svg> <script xlink: href = data:, alert (1)> </script> </svg>