Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome Developer Console throws X-XSS-Protection error when embedding youtube link

I'm using Chrome Version 31.0.1650.63 m.

Recently, I've noticed a few errors being thrown in the Chrome developer console, but nothing seems wrong with my site. Upon investigation, they seem to be related to an embedded youtube link. The markup in question is as follows:

<iframe width="560" height="315" src="http://www.youtube.com/embed/hhhrWFxWQRk" frameborder="0" allowfullscreen></iframe>

The video itself is irrelevant (I just grabbed the first one I saw on youtubes front page as a test), but I've included the link I'm using here in case something very specific is happening.

The response headers from the request made in Chrome are as follows:

Alternate-Protocol:80:quic
Cache-Control:no-cache
Content-Encoding:gzip
Content-Length:2560
Content-Type:text/html; charset=utf-8
Date:Sun, 12 Jan 2014 20:35:54 GMT
Expires:Tue, 27 Apr 1971 19:44:06 EST
Server:gwiseguy/2.0
X-Content-Type-Options:nosniff
X-Frame-Options:ALLOWALL
X-XSS-Protection:1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube

And the errors I'm getting in the Chrome developer console are as follows:

Invalid 'X-Frame-Options' header encountered when loading 'http://www.youtube.com/embed/hhhrWFxWQRk': 'sil' is not a recognized directive. The header will be ignored.
Error parsing header X-XSS-Protection: sil: expected 0 or 1 at character position 0. The default protections will be applied. 

In big red letters. The first thing I notice is that the errors both reference the value "sil", which I don't see in any of the response headers for HTTP request.

The video displays and plays fine, and the errors say that default settings will be used - so this doesn't look like an issue. However, I'm keen to understand what's going on, and why these errors are occurring.

I notice that the errors relate to XSS, and from my research, I think the X-XSS-Protection header is for IE8 only, and the value being returned from YouTube is invalid (report= et al). The X-Frame-Options header's value seems to be invalid according to the specification, but Wikipedia (I know!) references the ALLOWALL option:

In addition to that, some advertising sites return a non-standard ALLOWALL value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).[31]

Is this a valid concern? Is this a Chrome parsing error, an issue with youtube's headers, or am I completely missing the point?

I have also done some testing in Firefox v26, IE 11.0.6600.16476, and Opera 12.16, and none of those browsers produce this error.

like image 463
Spikeh Avatar asked Jan 12 '14 21:01

Spikeh


1 Answers

Looks like this was an issue with that particular version of Chrome - now Chrome has updated to v32, I no longer get this issue. I am, however, getting a load more warnings and errors related to linking to YouTube.

like image 182
Spikeh Avatar answered Sep 21 '22 05:09

Spikeh