解析标题X-XSS-Protection时出错 - Google Chrome [英] Error parsing header X-XSS-Protection - Google Chrome
问题描述
我在Windows 10机器上将Google Chrome升级至版本64.0.3282.140(官方版本)(64位)。一旦我做了,我在开发人员工具控制台中在我的网站上发现了这个错误。不确定从哪里开始。我在去年看到类似的问题,这是YouTube的问题(也在网址中),但我还没有看到任何解决方案。
解析头文件时出错X-XSS-Protection:1;模式=块;
报告= https://www.google.com/appserve/security-bugs/log/youtube:不安全的
报告URL在人物位置22处的安全页面。默认的
保护将为应用。
16:07:31.905
当我直接转到youtube通过嵌入式网址,因此它不只是在我的网站上。
更新
我在响应中附加了标题的照片,指出google.com网址似乎正在产生这个问题。
这是目前Google Chrome和Chromium中的一个已知错误:
https://bugs.chromium.org/p/chromium/issues/detail?id=807304
在他们浏览器的当前版本,由于某些安全原因,Chrome开发人员已将X-XSS-Protection的报告字段URL限制为相同的域名来源。因此,当您使用某些嵌入代码嵌入视频时,它会从其他服务器下载标题为report = https:// www.google.com/ 已设置,而您的网页不在google.com域中托管 - 则会出现错误消息。 然而,所有次要网站(包括youtube.com)都在发送包含不同原始网域的报告网址。很可能,他们甚至都没有意识到Chrome的这一近期变化。所以YouTube会改变他们的标题,否则Chrome开发者将会恢复。作为最终用户,我们没有什么可以做到的。
更新:
问题已在<$ c $中解决c>版本66.0.3359.117(官方版本)(64位)
I upgraded Google Chrome to Version 64.0.3282.140 (Official Build) (64-bit) on a Windows 10 machine. Once I did, I am getting this error on my site within the developer tools console. Not real sure where to start. I did see a similar issue last year that was an issue with youtube (also in the url), but I haven't seen any solutions.
Error parsing header X-XSS-Protection: 1; mode=block;
report=https://www.google.com/appserve/security-bugs/log/youtube: insecure
reporting URL for secure page at character position 22. The default
protections will be applied.
16:07:31.905
I'm also seeing the issue when I go directly to youtube via the embedded url so it's not just on my site.
UPDATE
I've attached a photo of the headers in the response that indicate the google.com url that appears to be generating the issue.
It's a known bug in the current Google Chrome and Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=807304
In the current version of their browser, the Chrome developers had restricted the X-XSS-Protection's report field URL to the same domain origin for some security reasons. So, when you embed a video with some embed code, as it downloads from another server where the header "report=https://www.google.com/" is set, and while your page is not hosted at the google.com domain - the error message occurs.
Yet, all minor sites (including youtube.com) are sending report URL with different origin domains in it. Probably, they are not even aware of this recent change in Chrome. So either YouTube will change their headers or Chrome developers will revert this. There's nothing that we, as end users, can do. Just wait till they sort this out.
UPDATE:
The issue has been fixed in Version 66.0.3359.117 (Official Build) (64-bit)
这篇关于解析标题X-XSS-Protection时出错 - Google Chrome的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
