New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome displays error message in iframe - Unsual code detected #13727
Comments
@leekirby6 thanks for the issue. Can you give more information on where you saw this notification? A screenshot might help as well if you're able to provide one. I don't get any notification from Chrome when I open the page. Thanks! |
It might be related to Chrome Beta. See #12655. It works fine for me with stable Chrome. @leekirby6 Can you try it with stable Chrome? |
Thanks for rely. I prefer beta vesion than stable : |
Is this error an indication that campers will see this in a future version of Chrome? If that's the case, we should probably make sure this is fixed before the release. |
I can reproduce this with Chrome 57, both on the beta and the live site. The version where this can be reproduced is 57.0.2987.88. From the Chrome releases blog, on March 9th:
The error:
This mentions that the error we're seeing is indeed caused by functionality enabled in Chrome 57. The warning seems to be triggered by having a form in the iframe. I tested how Codepen handles this. It does work fine there. Some notable differences:
/cc @freeCodeCamp/moderators This looks like it has the potential to become a very serious issue for us, but I'm not certain. Can anybody help investigate? |
@systimotic thanks for bringing this to everyone's attention. Yes - this is a serious issue. If Google rolls out this update, it will completely break our challenges. So we need to fix this ASAP. Have you been able to make any progress on this? @BerkeleyTrue is this something you could fix and deploy to production real quick, or do you have someone in mind for delegating this? |
This comment was marked as spam.
This comment was marked as spam.
I have an idea, I'll raise a PR against backup/master if my theory works out. If it works I can then implament it for staging also |
But please, if someone else has an idea, go ahead and work away at it This seems like a critical issue |
@QuincyLarson @systimotic @Bouncey Looking into it, (according to @timo's link) Chrome is changes the default behavior Before, the chromes default bahavior was to filter outs the parts of the script that would be considered harmful. We’ve gotten around this by encoding the specific parts that chrome would complain about (form actions and such) and then decoding them before injecting into the iframe. Now the default behavior is going to block the page completely. This is what is causing the issue (I believe). I downloaded Chrome canary and |
A fix may be as simple as changing our |
I cannot replicate on beta, but I can on production Chrome 57 is now the 'chrome stable' for Ubuntu |
I cannot reproduce locally on backup/master |
try to post back, via server control, some html and JavaScript code to server and you will see the issue. |
happened to me on Chrome Version 57.0.2987.110 (64-bit) Win10 64bit |
Hello, all, please help me understand this better. I am Business Analyst in Software company. We experience the issue that after 57.0.2987.98 Chrome update we get the error “This page isn’t working Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards). ERR_BLOCKED_BY_XSS_AUDITOR" - basically what you are discussing here. My questions would be:
We have number of customers who suffer from this error and we need to understand whether we should wait for the Chrome fix or to implement the fix on our side. |
@dimapct This the repository for FreeCodeCamp.com not for Chrome. Please direct your questions related to your business software and chrome to the chrome team, not us. |
@QuincyLarson |
I have just come across this bug report. I wonder if my experience might shed some light on this. When I write a post on Ubuntu Forums — which is a perfectly bona fide site — Chrome frequently, but not always, gives me this error when I press "Preview Post". I have attempted to find a pattern, but it seems entirely arbitrary; I can type some wording, which Chrome accepts, and other wording, which it doesn't, and I see no significant difference between them. For example, sometimes Chrome blocks a post with quotes, and other times not. I use Chrome 57 Stable (from the official Chrome repositories) on Linux Ubuntu. (I shall adopt the suggestion by @QuincyLarson for the time being, although it's a bit nerving to turn it off!) |
Unfortunately, the proposed solution from @QuincyLarson did not work for me. However, there is further information, which I hope is of some help: https://bugs.chromium.org/p/chromium/issues/detail?id=702542 |
@paddylandau Thanks. It seems the issue is solved by explicitly adding x-xss-protection headers to our csp. Anyone have some time to test this out? |
The problem with adding this header is that it means reducing security, for the sake of Chrome. That seems weird to me. |
Actually, if you set the header to 1, then you're just keeping the security the same and preventing Chrome v57 from increasing security. The only real difference is that v57 is noisily blocking some code that v56- and other browsers have been silently blocking up to now. |
I'm still experiencing this issue :( |
I'm still experiencing this issue on "Create a Form Element". |
The interesting thing regarding this issue is when you complete the lesson on a different browser and return to Chrome and "view the solution" of that lesson, the code reads with no error and you can continue on with the next lesson. Any thoughts? |
On Apr 10, 2017 10:21 AM, "Rogerio Penchel" <notifications@github.com> wrote:
I'm still experiencing this issue :(
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#13727 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AV-9X3RBc4-MBzYNChdMp0_uZrywTADUks5rumUPgaJpZM4MS57P>
.
|
Some code used in production to strip and lock code uri (solution in uri) https://github.com/freeCodeCamp/freeCodeCamp/blob/staging/client/sagas/code-storage-saga.js#L98 The utils used to do this: https://github.com/freeCodeCamp/freeCodeCamp/blob/staging/client/utils/code-uri.js#L52 remove code uri: https://github.com/freeCodeCamp/freeCodeCamp/blob/staging/client/utils/code-uri.js#L66 Here in the epic that handles building the files before they go to the iframe is where we check whether the code will run automatically https://github.com/freeCodeCamp/freeCodeCamp/blob/staging/client/sagas/build-challenge-epic.js#L24 Here we lock the execution button in the classic view and display an unlock button note: I have a major refactor in the works that will break all these links. I'll updated them in a separate comment when that PR is merged in |
Thanks @BerkeleyTrue, going to take a crack at it tonight. |
@raisedadead awesome - thanks for your help. Please keep us posted, and let us know if you need any backup. |
Last Tuesday, @raisedadead and I looked into this issue. I'm sharing our findings here, supplemented by things I found afterwards on my own. I hope this will give some background into why we believe this is the way to fix this issue. This issue is not reproducible on the freeCodeCamp beta, in any browser, with any code. Using the code shared in the initial report, this issue is reproducible in Chrome 57 and Chrome 58 (current), but not in Chrome 59 (Chrome Beta) or Chrome 60 (Chrome Canary). On this line, we enable the helmet xxsFilter plugin. It sets the
This confuses me. We have always sent this header, it's definitely there in the response, but it still says it's not there. My best guess as to why this is happening: the header is sent for the In Chrome 57, no header present was changed to default to Here's a short summary of what the XSS auditor does (or at least, how I understand it): it looks at the URL and the page source code. If it finds a script (or something else that seems malicious) in the URL that it also finds in the HTML, it will block the page. [source 1] [source 2] [source 3] The proper and easiest solution should be to set the |
Thanks for the insight, and the excellent sum up what we debugged the other day. Yes, it's a bit tricky on the production site, I'll update asap. |
Adding this "--disable-xss-auditor" to the target field of the chrome shortcut got it working for me. |
It didn't work on Chrome or Firefox (54.0b12) for me. Had to resort to using IE. |
This has been fixed both in beta and in the main website. |
Update
Please use Firefox while we come up with a fix. Apologies for the inconvenience.
Challenge Add a Submit Button to a Form has an issue.
User Agent is:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.88 Safari/537.36
.Description edited by @systimotic for clarification
There is a warning displayed in the phone frame. It says: "Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards)."
Code:
The text was updated successfully, but these errors were encountered: