Avoid the 'XSS Auditor' issue when embedding a Hype document within a web page

If you see the following error in Safari:

The XSS Auditor refused to execute a script in 'https://example.com' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.

Remove the Query string at the end of your document's embed code when embedded on your page. This looks like ?33439.

Alternatively, you could adjust the X-XSS settings for your server.

2 Likes

@photics I think you had hit this here? (I just hit the problem on our Wordpress site so I tried a couple things and the query string was the issue…)

Well, there were two issues. First was the XSS issue. I solved it by using iFrames. I decided to stay with iFrames because it has much better scaling support, when the project is placed on a WordPress page. In the thread you linked, I detailed the performance issue when using Hype scaling, vs my own scaling code.

Also, I add styles to the HTML header for the B.R.O.O.M project, so placing a project on the page causes problems too.

There's a nice module for managing your site's Content Security Policy (CSP)

I was livid when I found out that my smilies were being hosted offsite. To solve that problem, there's the "Classic Smilies" module...