I’m working on a legacy app which still needs to support IE11. There’s one screen (a search window in a pop-up) which intermittently triggers the XSS filter, depending on values in the URL β despite everything being encoded properly. When this happens the entire screen is prevented from drawing. It’s driving me mad, and to top it off, once it triggers it starts triggering on values which didn’t previously cause the XSS filter to fire.
Edit to add: turning off the XSS filter by setting the header is not allowed.
Chris M. mentioned this article on mrkapowski.com.