Digby. Thanks for brining this issue to our attention. We take security issues very seriously and want to get to the bottom of what is going on.
We have some follow up questions that we are going to send you directly. When we have fully understood the situation and determined that any corrective action needs to be taken we will post that resultion back here so that everyone can see the closure.
Here is a technical summary of the issue.
It appears that Salesforce sets this header when pages are served up from a Community or Portal. Skuid was relying on the browser’s built in XSS protection so disabling it allowed for the vulnerability you noticed. The latest release of Rockaway includes a fix that will escape tags in the part of the code that processed URL parameters. Thus, even if the browser feature is disabled, XSS attempts via URL parameters will fail.
Thanks again for alerting us of this issue as security issues are a very serious concern.