Here is an interesting look at some of the false positives:
Firing on just "<script>" in the url
Google: Search for <script> using the normal website. It will work.
But try going directly to the URL http://www.google.com/search?hl=en&q=%3Cscript%3E
IE 8 XSS filter kicks in.
Here are a few more
Firing on javascript:alert(document.cookie)
Ok, maybe its looking for any sort of javascript in the URL. Even though no real attacker would just pop-up a message box with the cookie.
http://www.google.com/search?hl=en&q=javascript%3Aalert%28document.cookie%29&aq=f&oq=&aqi=
Firing on javascript:a
Hmm, seems like it fires on "javascript:" followed by anything.
http://www.google.com/search?hl=en&q=javascript%3Aa&aq=f&oq=&aqi=g10
Firing on ";alert(123);
Maybe this is someone looking for an xss issue, but that is stretching it. Again, no real attack would use this.
http://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENUS247&=&q=";alert(123);
Firing on ";abc(123);
Oh, nevermind, the far reaching filter fires on any JavaScript looking method following "; Doesn't matter if it actually exists or not.
http://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENUS247&=&q=";abc(123);
So it looks to me that the xss filter is firing pretty liberally. The problem will begin when more people adopt IE 8 and websites start to see this filter breaking legitimate functionality. At that point the websites will begin disabling the xss filter by adding the following response header.
X-XSS-Protection: 0http://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx
That's right. The website has the ability to disable security controls setup in your browser. Seems a little bit of an odd model right? So don't go and rely on this control for your security. If you want to take action to protect yourself then I recommend Mozilla and noScript plugin.
Also, if you are conducting security reviews and need to use IE 8 then check out this post on automatically disabling IE 8 xss with WebScarab's bean shell.
-Michael Coates