iFrame failing to display when content is published

I've had this situation a few times now with Drupal where inserting an iFrame when editing/creating content, resulted in the src tag being stripped out of the iframe when previewing or viewing the node. The strangest thing is that resaving the content multiple times, or refreshing the page multiple times, seems to make the iframe suddenly appear.... After which point it will appear every time you subsequently load the page.

It turns out that this problem is not a Drupal problem at all, but rather a Chrome problem. The penny didn't drop to check the debugger until I checked IE and Firefox, to realise that the problem wasn't there. Chrome was saying, "The XSS Auditor refused to execute a script in [url here] because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header." 
In order to get around this problem, I ended up sending an "X-XSS-Protection: 0" header from my template.php file. In yourtheme_preprocess_html() add the following as the first line:
header("X-XSS-Protection: 0");
I don't know if this is the 100% correct solution, it looks a bit janky (possible security problem?), but it turns out there's currently a bug in D7 that prevents drupal_send_headers() from sending this one in particular, due to the value 0. This is fixed in D8 at time of writing and is waiting for a backport to D7.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.