freeCodeCamp: Chrome displays error message in iframe - Unsual code detected

Update

Please use Firefox while we come up with a fix. Apologies for the inconvenience.

Challenge Add a Submit Button to a Form has an issue. User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.88 Safari/537.36.

Description edited by @systimotic for clarification There is a warning displayed in the phone frame. It says: “Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).”

screenshot

Code:


<link href="https://fonts.googleapis.com/css?family=Lobster" rel="stylesheet" type="text/css">
<style>
  .red-text {
    color: red;
  }

  h2 {
    font-family: Lobster, Monospace;
  }

  p {
    font-size: 16px;
    font-family: Monospace;
  }

  .thick-green-border {
    border-color: green;
    border-width: 10px;
    border-style: solid;
    border-radius: 50%;
  }

  .smaller-image {
    width: 100px;
  }
</style>

<h2 class="red-text">CatPhotoApp</h2>

<p>Click here for <a href="#">cat photos</a>.</p>

<a href="#"><img class="smaller-image thick-green-border" alt="A cute orange cat lying on its back. " src="https://bit.ly/fcc-relaxing-cat"></a>

<p>Things cats love:</p>
<ul>
  <li>cat nip</li>
  <li>laser pointers</li>
  <li>lasagna</li>
</ul>
<p>Top 3 things cats hate:</p>
<ol>
  <li>flea treatment</li>
  <li>thunder</li>
  <li>other cats</li>
</ol>
<form action="/submit">
  
</form>
<form action="/submit-cat-photo">
  <input type="text" placeholder="cat photo URL">
</form>

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 5
  • Comments: 72 (25 by maintainers)

Most upvoted comments

I can reproduce this with Chrome 57, both on the beta and the live site.

The version where this can be reproduced is 57.0.2987.88. From the Chrome releases blog, on March 9th:

The Chrome team is delighted to announce the promotion of Chrome 57 to the stable channel - 57.0.2987.98 for Windows, Mac and Linux. This will roll out over the coming days/weeks.

The error:

The XSS Auditor blocked access to ‘https://www.freecodecamp.com/challenges/add-a-submit-button-to-a-form#?solution=solution-here’ because the source code of a script was found within the request. The auditor was enabled as the server did not send an ‘X-XSS-Protection’ header.

This mentions that the error we’re seeing is indeed caused by functionality enabled in Chrome 57.

The warning seems to be triggered by having a form in the iframe. Here’s a StackOverflow post with a suggestion on how to solve this.

I tested how Codepen handles this. It does work fine there. Some notable differences:

  • X-Frame-Options is ALLOWALL on Codepen, SAMEORIGIN on fCC. I think this is unlikely to be the cause, but it may be related.
  • X-XSS-Protection is 1; mode=block on fCC, but not present on Codepen. I think this is why it does work on Codepen but not on fCC.

/cc @freeCodeCamp/moderators This looks like it has the potential to become a very serious issue for us, but I’m not certain. Can anybody help investigate?

+4
systimotic on Mar 12, 2017

@QuincyLarson — Yes, I still have this problem on Chrome 58.

@tobi10 — A simple refresh simply reloads the page, but doesn’t refresh everything; it still uses the cache. To force a complete refresh and ignore the cache, press Ctrl+Shift+R. It should save you the hassle of signing out and in again.

+2
paddylandau on Apr 25, 2017

The issue seems to be resolved by upgrading to version 58 (Version 58.0.3029.81 beta(64bit, on my machine). I was getting the same error and had to go into into the 3 dots -> about. Under the version was a button I had to press to complete the update from v57 to v58. Upon relaunch of Chrome issue was resolved.

+2
willdanneriv on Apr 19, 2017

Thanks for the insight, and the excellent sum up what we debugged the other day. Yes, it’s a bit tricky on the production site, I’ll update asap.

+1
raisedadead on May 26, 2017

Please refer this comment.

I strongly believe the above comment correctly analyzes what’s going on here.

This is most probably fixed in the staging because we have stopped automatic code execution on the page.

+1
raisedadead on Apr 28, 2017

@ssisaias — The workaround (not a solution) from @udbhavs might work, but that is because it deliberately breaks security! It is not a reasonable workaround, and certainly not appropriate for a work-based computer or indeed any computer that holds confidential information.

+1
paddylandau on Apr 19, 2017

@QuincyLarson Chrome settings > advanced settings > Protect from dangerous sites > off worked for me for a while

+1
ghost on Mar 22, 2017

It might be related to Chrome Beta. See #12655. It works fine for me with stable Chrome. @leekirby6 Can you try it with stable Chrome?

+1
szib on Mar 4, 2017

@leekirby6 thanks for the issue. Can you give more information on where you saw this notification? A screenshot might help as well if you’re able to provide one. I don’t get any notification from Chrome when I open the page. Thanks!

+1
erictleung on Mar 4, 2017
Read more comments on GitHub
← freeCodeCamp: changes in editor do not change real-time - must click run tests
freeCodeCamp: Code block horizontal scroll not easily scrollable by mouse for step 12 Responsive Web Design track →