Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Invalid 'X-Frame-Options' header from google's Doubleclick response

We use doubleclick from Google to track user information with a floodlight tag in an IFrame, but recently the response is causing an error in the Chrome dev tools:

Invalid 'X-Frame-Options' header encountered when loading 'http://123.fls.doubleclick.net/activityi;src=123;type=123;cat=123;ord=123': 'ALLOWALL' is not a recognized directive. The header will be ignored.

Here is a blog post on the matter: http://ipsec.pl/node/1094

It looks like ALLOWALL has recently been added to allow any site to use the code as a src (similar to not including that option at all) and doubleclick is including this option in their response. Out of IE, Firefox and Chrome, Chrome is the only browser that throws the error. Does that mean that Google is using an option in doubleclick that doesn't work in their own browser? It's hard to imagine a Google team not testing in Chrome.

It seems to me that if the header is being ignored, and the header has the same effect as not including any cross site restrictions with X-Frame-Options, the error will not affect anything. Also, since the error occurs on the response, the tracking that is done with the original request should be fine, right?

like image 771
aaron Avatar asked Mar 05 '13 23:03

aaron


1 Answers

The issue was filed as a bug report:
Bug 110857 - X-Frame-Options should accept ALLOWALL as a valid value
and has been addressed and the fix is in the main branch of WebKit, once the latest WebKit engine is in use by Chrome, the messages will disappear.

for more information see: Webkit Changeset 144105

like image 163
cwebbdesign Avatar answered Sep 24 '22 20:09

cwebbdesign