Chrome blocks certain links?

[User1291]

http://forums.nrvnqsr.com/showthread...ral-discussion

Now try tapping "Preview Post"...

This page doesn't work.

Chrome has found unusual Code on this page and therefore blocked it to protect your personal data, e.g. passwords, phone number or credit card information.


ERR_BLOCKED_BY_XSS_AUDITOR

[Seika]

Can't reproduce. You can't think of anything else that could be causing this?

[John D. Pliskin]

Hey, this same thing has been happening to me when trying to update my signature tonight. (Sorry, I guess I should've checked the sub-forum more for a thread like this.)

So I was just trying to update my signature, and this keeps happening whenever I try to save anything...



Never had this XSS Auditor error happen on me before here. I assume there are workarounds to this, but I already tried one method (of adding some code to the program address) and I don't think it worked...

(Moreover, I don't think I should have to do that. :P)

[Quibi]

This is a really annoying issue. I have steps to reproduce:

1. Add a link to somewhere inside this site (user profile, a certain comment, etc...) in a quick reply.
2. Click go advanced.
3. You get "ERR_BLOCKED_BY_XSS_AUDITOR" error by chrome.

If you try to first "go advanced" and then paste the username, you get the same error when trying to submit the post or even preview it (I suppose clicking "go advanced" is the same as "preview post").
Anyway, would really appreciate fixing this as I have to switch to another browser whenever I want to edit my threads...

[Seika]

Attempted all variants: just doing the link and going advanced, typing and then pasting the link and going advanced, going advanced and then pasting a link and trying to preview or post. Still unable to reproduce in any case.

E: Hold. I can reproduce if I go advanced, copy and paste the link and add text, preview (it works) and then preview again. That throws the error. IDK.

[Seika]

http://forums.nrvnqsr.com/member.php/1746-Quibi

sdfsdfs

So, yes, it will still post properly without the error on the first go.

[Seika]

Solution that seems to work: when you're in Advanced (or, I suppose, Quick Reply, if you're somehow managing to throw errors by going from there, which I still can't), then switch the editor to source mode using the very top-left button. Chrome then processes it properly.

This seems to be connected directly to the issue, because coming out of source mode immediately gets it to start throwing the error again. The browser doesn't like something about converting the raw links to hyperlink markup?

[Seika]

More Testing

[Quibi]

Since it only happens to me when I try linking inside the forum's domain, and not when using external links, I suspect chrome is thinking the site is trying to inject code to itself, which it doesn't...

Googling the problem, it also seems to only take effect since chrome v54.
I found a solution that seemed to work for some is adding the following header which disables this protection (requires editing the source code):

Code:

header('X-XSS-Protection:0');

Source: https://stackoverflow.com/questions/...uditor-details
More info about this header: https://developer.mozilla.org/en-US/...XSS-Protection

Can't say how "safe" it is to disable it, but it seems to be more of a "backwards compatible" protection that isn't really needed for newer websites.

My specs:
Windows 10
Chrome Version 63.0.3239.108 (Official Build) (64-bit)

[Seika]

I'm not sure we're a newer website, though.

[Quibi]

Digging around some more, I may have found a better solution. First let's document it properly (TL;DR in the end):
Looking for this problem specifically in vbulletin led me to this:
https://www.vbulletin.com/forum/foru...-after-upgrade
which said it's a Chrome "bug". Chrome, on the other hand, says it's a "won't fix":
https://bugs.chromium.org/p/chromium...tail?id=703093
I'm not entirely sure who's a fault here - chrome detecting a false positive, or the editor needs to improve its code security. Some guy here phrased it better (and eventually found a way to improve his code security):
https://bugs.chromium.org/p/chromium...?id=702542#c24


TL;DR:
I found the exact same problem we're having documented here:
http://forum.turboduck.net/threads/3..._auditor-error
They suggested this solution: https://xenforo.com/community/thread...2#post-1146809
Which is to add the following line to config.php:

Code:

header('X-XSS-Protection: 1');

Which doesn't turn the protection off, but does revert it to its previous version that doesn't emit this error.

Also I'd like to point out I'm consistently getting this error, unlike Seika. Using "Source Mode" does indeed allow me to preview links, so it's likely the WYSIWYG part that's the problem.

[Seika]

add to config.php

Ahaha, welp, we'd need Dark Pulse to exist for that.

[Quibi]

Is it a permissions issue or a technical one? 'Cause it's just editing a config file and (maybe) restarting the server...
And anyway, I suppose he exists since every now and then the forum does go down and I assume someone's there to get it back up...

[mAc Chaos]

That's handled by me/Seika and Dovacs.

I'll see if he can be roused from his slumber.

[Seika]

Is it a permissions issue or a technical one? 'Cause it's just editing a config file and (maybe) restarting the server...
And anyway, I suppose he exists since every now and then the forum does go down and I assume someone's there to get it back up...

Admin is a purely forum thing. We've never been given actual server access. I'm pretty sure even the original trio never had it, even while Dark Pulse wasn't an admin and was only handling the technical side.