Chrome Developer Console throws X-XSS-Protection error when embedding youtube link

google-chrome youtube xss x-frame-options
Spikeh picture Spikeh · Jan 12, 2014 · Viewed 12.1k times · Source

I'm using Chrome Version 31.0.1650.63 m.

Recently, I've noticed a few errors being thrown in the Chrome developer console, but nothing seems wrong with my site. Upon investigation, they seem to be related to an embedded youtube link. The markup in question is as follows:

<iframe width="560" height="315" src="http://www.youtube.com/embed/hhhrWFxWQRk" frameborder="0" allowfullscreen></iframe>

The video itself is irrelevant (I just grabbed the first one I saw on youtubes front page as a test), but I've included the link I'm using here in case something very specific is happening.

The response headers from the request made in Chrome are as follows:

Alternate-Protocol:80:quic
Cache-Control:no-cache
Content-Encoding:gzip
Content-Length:2560
Content-Type:text/html; charset=utf-8
Date:Sun, 12 Jan 2014 20:35:54 GMT
Expires:Tue, 27 Apr 1971 19:44:06 EST
Server:gwiseguy/2.0
X-Content-Type-Options:nosniff
X-Frame-Options:ALLOWALL
X-XSS-Protection:1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube

And the errors I'm getting in the Chrome developer console are as follows:

Invalid 'X-Frame-Options' header encountered when loading 'http://www.youtube.com/embed/hhhrWFxWQRk': 'sil' is not a recognized directive. The header will be ignored.
Error parsing header X-XSS-Protection: sil: expected 0 or 1 at character position 0. The default protections will be applied.

In big red letters. The first thing I notice is that the errors both reference the value "sil", which I don't see in any of the response headers for HTTP request.

The video displays and plays fine, and the errors say that default settings will be used - so this doesn't look like an issue. However, I'm keen to understand what's going on, and why these errors are occurring.

I notice that the errors relate to XSS, and from my research, I think the X-XSS-Protection header is for IE8 only, and the value being returned from YouTube is invalid (report= et al). The X-Frame-Options header's value seems to be invalid according to the specification, but Wikipedia (I know!) references the ALLOWALL option:

In addition to that, some advertising sites return a non-standard ALLOWALL value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).[31]

Is this a valid concern? Is this a Chrome parsing error, an issue with youtube's headers, or am I completely missing the point?

I have also done some testing in Firefox v26, IE 11.0.6600.16476, and Opera 12.16, and none of those browsers produce this error.

Answer

Spikeh picture Spikeh · Jan 17, 2014

Looks like this was an issue with that particular version of Chrome - now Chrome has updated to v32, I no longer get this issue. I am, however, getting a load more warnings and errors related to linking to YouTube.

Related questions

Error parsing header X-XSS-Protection - Google Chrome

I upgraded Google Chrome to Version 64.0.3282.140 (Official Build) (64-bit) on a Windows 10 machine. Once I did, I am getting this error on my site within the developer tools console. Not real sure where to start. I did see a similar …

Read More
YouTube autoplay not working in Chrome

For a while now I have been using this script, where the video is automatically playing full-screen. For now suddenly the video doesn't play automatically in Chrome. But in Firefox and Edge it still works. So maybe Google changed settings? …

Read More
Disable same origin policy in Chrome

Is there any way to disable the Same-origin policy on Google's Chrome browser?

Read More