错误解析头 X-XSS-保护-谷歌浏览器

我在一台 Windows10机器上把谷歌 Chrome 升级到了 Version 64.0.3282.140 (Official Build) (64-bit)。一旦我这样做了，我就会在开发人员工具控制台中的站点上得到这个错误。不知道从何说起。去年我确实在 youtube 上看到过类似的问题，但是我没有看到任何解决方案。

Error parsing header X-XSS-Protection: 1; mode=block;
report=https://www.google.com/appserve/security-bugs/log/youtube: insecure
reporting URL for secure page at character position 22. The default
protections will be applied.
16:07:31.905

当我通过嵌入式网址直接访问 youtube 时，我也看到了这个问题，所以它不仅仅是在我的网站上。

更新

我在回复中附上了一张标题的照片，表明 google.com 网址似乎正在产生这个问题。

55745

小开

最佳答案

It's a known bug in the current Google Chrome and Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=807304

In the current version of their browser, the Chrome developers had restricted the X-XSS-Protection's report field URL to the same domain origin for some security reasons. So, when you embed a video with some embed code, as it downloads from another server where the header "report=https://www.google.com/" is set, and while your page is not hosted at the google.com domain - the error message occurs.

Yet, all minor sites (including youtube.com) are sending report URL with different origin domains in it. Probably, they are not even aware of this recent change in Chrome. So either YouTube will change their headers or Chrome developers will revert this. There's nothing that we, as end users, can do. Just wait till they sort this out.

UPDATE:

The issue has been fixed in Version 66.0.3359.117 (Official Build) (64-bit)