Error parsing header X-XSS-Protection - Google Chrome

javascript html google-chrome youtube youtube-api

55,542

Solution 1

It's a known bug in the current Google Chrome and Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=807304

In the current version of their browser, the Chrome developers had restricted the X-XSS-Protection's report field URL to the same domain origin for some security reasons. So, when you embed a video with some embed code, as it downloads from another server where the header "report=https://www.google.com/" is set, and while your page is not hosted at the google.com domain - the error message occurs.

Yet, all minor sites (including youtube.com) are sending report URL with different origin domains in it. Probably, they are not even aware of this recent change in Chrome. So either YouTube will change their headers or Chrome developers will revert this. There's nothing that we, as end users, can do. Just wait till they sort this out.

UPDATE:

The issue has been fixed in Version 66.0.3359.117 (Official Build) (64-bit)

Solution 2

The issue has been fixed in Google Chrome new update.

Version 66.0.3359.117 (Official Build) (64-bit)

Make sure you have updated Chrome to this version.

55,542

Cannon Moyer

Updated on July 11, 2022

Comments

Cannon Moyer almost 2 years
I upgraded Google Chrome to Version 64.0.3282.140 (Official Build) (64-bit) on a Windows 10 machine. Once I did, I am getting this error on my site within the developer tools console. Not real sure where to start. I did see a similar issue last year that was an issue with youtube (also in the url), but I haven't seen any solutions.
```
Error parsing header X-XSS-Protection: 1; mode=block; 
report=https://www.google.com/appserve/security-bugs/log/youtube: insecure 
reporting URL for secure page at character position 22. The default 
protections will be applied.
16:07:31.905
```
I'm also seeing the issue when I go directly to youtube via the embedded url so it's not just on my site.

UPDATE

I've attached a photo of the headers in the response that indicate the google.com url that appears to be generating the issue.
Ben Racicot about 6 years

Still visible in Chrome 66.0.3350.0 (Official Build) canary (64-bit)
Honsa Stunna about 6 years

Seems fixed in Chrome 67.0.3381.0 (Official Build) canary (64-Bit)
mimic about 6 years

@HonsaStunna is it Mac Version? I have the latest Win 65.0.3325.181 (Official Build) (64-bit) and still see this error.
Honsa Stunna about 6 years

Sorry forgot, Windows 10.
Manjunath Reddy about 6 years

still visible in lates chrome too.
Admin about 6 years

Issue has been fixed in bugs.chromium.org, still visible in Chrome 65 (stable) but gone in Chrome 68 (Canary)
JoePC about 6 years

Just confirming: Updated from 65 to 66 and I don't see that error anymore.
Saurabh about 6 years

as per chrome dev bugs.chromium.org/p/chromium/issues/detail?id=807304#c30 it is fixed. I have tested in my chrome 66.0.3359.139.0 and without deleting cache all the three boxes test links, the error has gone ...
STEEL almost 6 years

issue is still present in 67. I cant open youtube
Travis Smith over 5 years

I'm seeing it now in Version 69.0.3497.100 (Official Build) (64-bit)
Nemanja almost 5 years

I have version 75.0 for Mac and have this issue
Works for a Living about 4 years

Chrome 77, Ubuntu, still visible.