Question about sec-ch-ua HTTP header being flag as possible XSS

eric_simmons · September 23, 2020, 4:42pm

Wanted to ask a question. We are getting a lot of App Firewall events where it looks like Chrome is injecting a new HTTP header named “sec-ch-ua” with a value of

“\Not;A"Brand”;v=“99”, “Google Chrome”;v=“85”, “Chromium”;v=“85”

This event looks innocuous. I did some research and below are a few articles on the header.

https://www.chromestatus.com/feature/5995832180473856

Are these events harmless, and if so, can we configure our applications to ignore the.

bria_grangard · September 23, 2020, 7:27pm

Hey Eric!

Yes, this event is harmless and safe to ignore. We also do have an item in our backlog to include a filter to automatically ignore these (related to the changes that you’ve outlined above regarding the sec-* headers).

eric_simmons · December 15, 2020, 9:22pm

Hello. Quick question. Have you all made any progress on filtering these items out. They are causing us to get alerts on legitimate traffic.

bria_grangard · December 17, 2020, 6:17pm

Hey Eric! We actually pushed out a blanket policy to ignore sec-ch-ua header matching tc-xss4 pattern last night…let me know how it goes!

eric_simmons · December 17, 2020, 8:13pm

I have confirmed that the rule is in place. Thanks @bria_grangard