Chrome Developer Console throws X-XSS-Protection error when embedding youtube link
Asked Answered
Q

1

13

I'm using Chrome Version 31.0.1650.63 m.

Recently, I've noticed a few errors being thrown in the Chrome developer console, but nothing seems wrong with my site. Upon investigation, they seem to be related to an embedded youtube link. The markup in question is as follows:

<iframe width="560" height="315" src="http://www.youtube.com/embed/hhhrWFxWQRk" frameborder="0" allowfullscreen></iframe>

The video itself is irrelevant (I just grabbed the first one I saw on youtubes front page as a test), but I've included the link I'm using here in case something very specific is happening.

The response headers from the request made in Chrome are as follows:

Alternate-Protocol:80:quic
Cache-Control:no-cache
Content-Encoding:gzip
Content-Length:2560
Content-Type:text/html; charset=utf-8
Date:Sun, 12 Jan 2014 20:35:54 GMT
Expires:Tue, 27 Apr 1971 19:44:06 EST
Server:gwiseguy/2.0
X-Content-Type-Options:nosniff
X-Frame-Options:ALLOWALL
X-XSS-Protection:1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube

And the errors I'm getting in the Chrome developer console are as follows:

Invalid 'X-Frame-Options' header encountered when loading 'http://www.youtube.com/embed/hhhrWFxWQRk': 'sil' is not a recognized directive. The header will be ignored.
Error parsing header X-XSS-Protection: sil: expected 0 or 1 at character position 0. The default protections will be applied. 

In big red letters. The first thing I notice is that the errors both reference the value "sil", which I don't see in any of the response headers for HTTP request.

The video displays and plays fine, and the errors say that default settings will be used - so this doesn't look like an issue. However, I'm keen to understand what's going on, and why these errors are occurring.

I notice that the errors relate to XSS, and from my research, I think the X-XSS-Protection header is for IE8 only, and the value being returned from YouTube is invalid (report= et al). The X-Frame-Options header's value seems to be invalid according to the specification, but Wikipedia (I know!) references the ALLOWALL option:

In addition to that, some advertising sites return a non-standard ALLOWALL value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).[31]

Is this a valid concern? Is this a Chrome parsing error, an issue with youtube's headers, or am I completely missing the point?

I have also done some testing in Firefox v26, IE 11.0.6600.16476, and Opera 12.16, and none of those browsers produce this error.

Quilt answered 12/1, 2014 at 21:49 Comment(1)
Getting the same with 41.0.2272.118 so is clearly something else.Martinez
Q
4

Looks like this was an issue with that particular version of Chrome - now Chrome has updated to v32, I no longer get this issue. I am, however, getting a load more warnings and errors related to linking to YouTube.

Quilt answered 17/1, 2014 at 11:32 Comment(7)
This has started happening again in 32.0.1700.76 m :(Quilt
Getting the same with 41.0.2272.118 so is clearly something else.Martinez
same issue with version 51Billhook
Same with version 64Brigitte
Me too with Version 64.0.3282.140Mcmaster
Also Version 64.0.3282.140 (Official Build) (64-bit)Em
so what is a viable solution for this? Also having this on Version 64.0.3282.140 (Official Build) (64-bit) on MacOsVittorio

© 2022 - 2024 — McMap. All rights reserved.