If you see the following error in Safari:
The XSS Auditor refused to execute a script in 'https://example.com' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
Remove the Query string at the end of your document's embed code when embedded on your page. This looks like ?33439
.
Alternatively, you could adjust the X-XSS settings for your server.
2 Likes
@photics I think you had hit this here? (I just hit the problem on our Wordpress site so I tried a couple things and the query string was the issue…)
Well, there were two issues. First was the XSS issue. I solved it by using iFrames. I decided to stay with iFrames because it has much better scaling support, when the project is placed on a WordPress page. In the thread you linked, I detailed the performance issue when using Hype scaling, vs my own scaling code.
Also, I add styles to the HTML header for the B.R.O.O.M project, so placing a project on the page causes problems too.
There's a nice module for managing your site's Content Security Policy (CSP)
I was livid when I found out that my smilies were being hosted offsite. To solve that problem, there's the "Classic Smilies" module...