Invalid 'X-Frame-Options' header from google's Doubleclick response
Asked Answered
L

1

14

We use doubleclick from Google to track user information with a floodlight tag in an IFrame, but recently the response is causing an error in the Chrome dev tools:

Invalid 'X-Frame-Options' header encountered when loading 'http://123.fls.doubleclick.net/activityi;src=123;type=123;cat=123;ord=123': 'ALLOWALL' is not a recognized directive. The header will be ignored.

Here is a blog post on the matter: http://ipsec.pl/node/1094

It looks like ALLOWALL has recently been added to allow any site to use the code as a src (similar to not including that option at all) and doubleclick is including this option in their response. Out of IE, Firefox and Chrome, Chrome is the only browser that throws the error. Does that mean that Google is using an option in doubleclick that doesn't work in their own browser? It's hard to imagine a Google team not testing in Chrome.

It seems to me that if the header is being ignored, and the header has the same effect as not including any cross site restrictions with X-Frame-Options, the error will not affect anything. Also, since the error occurs on the response, the tracking that is done with the original request should be fine, right?

Livonia answered 5/3, 2013 at 23:29 Comment(1)
I'm receiving this too. Chrome shows the error, but ignores the value (allowing the request). Firefox shows the error but denies the request.Federation
V
1

The issue was filed as a bug report:
Bug 110857 - X-Frame-Options should accept ALLOWALL as a valid value
and has been addressed and the fix is in the main branch of WebKit, once the latest WebKit engine is in use by Chrome, the messages will disappear.

for more information see: Webkit Changeset 144105

Vambrace answered 19/4, 2013 at 9:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.