I upgraded Google Chrome to Version 64.0.3282.140 (Official Build) (64-bit)
on a Windows 10 machine. Once I did, I am getting this error on my site within the developer tools console. Not real sure where to start. I did see a similar issue last year that was an issue with youtube (also in the url), but I haven't seen any solutions.
Error parsing header X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube: insecure reporting URL for secure page at character position 22. The default protections will be applied. 16:07:31.905
I'm also seeing the issue when I go directly to youtube via the embedded url so it's not just on my site.
UPDATE
I've attached a photo of the headers in the response that indicate the google.com url that appears to be generating the issue.
It does not attempt to mitigate Stored or DOM-based XSS attacks. If a possible reflection has been found, Chrome may ignore (neuter) the specific script, or it may block the page from loading with an ERR_BLOCKED_BY_XSS_AUDITOR error page.
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
In the past Zimbra recommended to set the X-XSS-Protection HTTP response header. This header used to enable additional protection against cross-site scripting (XSS) attacks in some web browsers. However this header is now deprecated and support is removed from most browsers.
headers HTTP header: X-XSS-Protection This feature is non-standard and should not be used without careful consideration.
It's a known bug in the current Google Chrome and Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=807304
In the current version of their browser, the Chrome developers had restricted the X-XSS-Protection's report field URL to the same domain origin for some security reasons. So, when you embed a video with some embed code, as it downloads from another server where the header "report=https://www.google.com/" is set, and while your page is not hosted at the google.com domain - the error message occurs.
Yet, all minor sites (including youtube.com) are sending report URL with different origin domains in it. Probably, they are not even aware of this recent change in Chrome. So either YouTube will change their headers or Chrome developers will revert this. There's nothing that we, as end users, can do. Just wait till they sort this out.
UPDATE:
The issue has been fixed in Version 66.0.3359.117 (Official Build) (64-bit)
The issue has been fixed in Google Chrome new update.
Version 66.0.3359.117 (Official Build) (64-bit)
Make sure you have updated Chrome to this version.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With