Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Chrome displays error message in iframe - Unsual code detected

See original GitHub issue

Update

Please use Firefox while we come up with a fix. Apologies for the inconvenience.

Challenge Add a Submit Button to a Form has an issue. User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.88 Safari/537.36.

Description edited by @systimotic for clarification There is a warning displayed in the phone frame. It says: “Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).”

screenshot

Code:


<link href="https://fonts.googleapis.com/css?family=Lobster" rel="stylesheet" type="text/css">
<style>
  .red-text {
    color: red;
  }

  h2 {
    font-family: Lobster, Monospace;
  }

  p {
    font-size: 16px;
    font-family: Monospace;
  }

  .thick-green-border {
    border-color: green;
    border-width: 10px;
    border-style: solid;
    border-radius: 50%;
  }

  .smaller-image {
    width: 100px;
  }
</style>

<h2 class="red-text">CatPhotoApp</h2>

<p>Click here for <a href="#">cat photos</a>.</p>

<a href="#"><img class="smaller-image thick-green-border" alt="A cute orange cat lying on its back. " src="https://bit.ly/fcc-relaxing-cat"></a>

<p>Things cats love:</p>
<ul>
  <li>cat nip</li>
  <li>laser pointers</li>
  <li>lasagna</li>
</ul>
<p>Top 3 things cats hate:</p>
<ol>
  <li>flea treatment</li>
  <li>thunder</li>
  <li>other cats</li>
</ol>
<form action="/submit">
  
</form>
<form action="/submit-cat-photo">
  <input type="text" placeholder="cat photo URL">
</form>

Issue Analytics

State:
Created 7 years ago
Reactions:5
Comments:72 (25 by maintainers)

Top GitHub Comments

4reactions

systimoticcommented, Mar 12, 2017

I can reproduce this with Chrome 57, both on the beta and the live site.

The version where this can be reproduced is 57.0.2987.88. From the Chrome releases blog, on March 9th:

The Chrome team is delighted to announce the promotion of Chrome 57 to the stable channel - 57.0.2987.98 for Windows, Mac and Linux. This will roll out over the coming days/weeks.

The error:

The XSS Auditor blocked access to ‘https://www.freecodecamp.com/challenges/add-a-submit-button-to-a-form#?solution=solution-here’ because the source code of a script was found within the request. The auditor was enabled as the server did not send an ‘X-XSS-Protection’ header.

This mentions that the error we’re seeing is indeed caused by functionality enabled in Chrome 57.

The warning seems to be triggered by having a form in the iframe. Here’s a StackOverflow post with a suggestion on how to solve this.

I tested how Codepen handles this. It does work fine there. Some notable differences:

X-Frame-Options is ALLOWALL on Codepen, SAMEORIGIN on fCC. I think this is unlikely to be the cause, but it may be related.
X-XSS-Protection is 1; mode=block on fCC, but not present on Codepen. I think this is why it does work on Codepen but not on fCC.

/cc @freeCodeCamp/moderators This looks like it has the potential to become a very serious issue for us, but I’m not certain. Can anybody help investigate?

2reactions

paddylandaucommented, Apr 25, 2017

@QuincyLarson — Yes, I still have this problem on Chrome 58.

@tobi10 — A simple refresh simply reloads the page, but doesn’t refresh everything; it still uses the cache. To force a complete refresh and ignore the cache, press Ctrl+Shift+R. It should save you the hassle of signing out and in again.