Downloading resources from external domains

Question

We have an ASP.net website, (https://website.example.com) which is loading external libraries (css and javascript) from a different sub-domain name (https://library.example.com)

The resources we are loading via the library project are only css files and javascript plugins, which themselves doesn't make any request (via AJAX).

Testing the website in normal environments, everything works fine.

However, opening it from an Internet Explorer 8 browser, returns an error:

internet explorer has modified this page to prevent cross site scripting

Could the fact that we are referencing external resources cause the error?

If yes, what would be the solution to fix this problem?

I think 90% of the websites downloads references from external domains (like CDN servers) for example.

Answer 1

Here's one way- configure the X-XSS-Protection header on your server. This will tell IE to disable XSS protection on your site.

Looks something like this :

GET / HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 01 Feb 2012 03:42:24 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=6ddbc0a0342e7e63:FF=0:TM=1328067744:LM=1328067744:S=4d4farvCGl5Ww0C3; expires=Fri, 31-Jan-2014 03:42:24 GMT; path=/; domain=.google.com
Set-Cookie: NID=56=PgRwCKa8EltKnHS5clbFuhwyWsd3cPXiV1-iXzgyKsiy5RKXEKbg89gWWpjzYZjLPWTKrCWhOUhdInOlYU56LOb2W7XpC7uBnKAjMbxQSBw1UIprzw2BFK5dnaY7PRji; expires=Thu, 02-Aug-2012 03:42:24 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked

1000

Please read here for more details