I clicked View Source to see the code on my new infinity free site which only hosts one .html page. Instead of seeing the code I expected to see, I saw something like the following (see stackoverflow link below). aes.js links to obfuscated code so this is obviously malicious. When I clicked reload the View Source source code returned to normal. I’m just trying to make sense of what’s happening. When this happens the embedded widgets (standard Youtube and GoFundme embeds) fail to load as well. Someone please tell me what’s going on.
It’s breaking my site by causing embedded youtube and gofundme widgets to not load. These are just standard cut-and-paste widgets provided by youtube and gofundme, nothing unusual.
Why is the code obfuscated if it’s not malicious? Can it be fixed?
The system specifically prevents embedding to other websites. That’s the whole point.
If you sincerely believes this is malicious then please just find somewhere else that suits your needs.
please elaborate why the point is to prevent embedding to other websites such as youtube and gofundme.
The system blocks clients that is not a browser. When other websites need to generate an embed for you, they need to fetch some data of your website by making a request.
Most of these times these websites make a request with simple tools that is not a browser, so cannot run JavaScript or accept cookies. So the system blocks these.
I believe there’s a miscommunication. The youtube embed is done with an iframe embed. The fetching is done by a web browser to a 3rd party site namely youtube.com. Youtube is not fetching any data from my web site.
OK so you’ve been a bit unclear. I thought you are going the other way around but actually no.
In this case that script has no influence here, it’s not the culprit.
Now if you try to embed a random YouTube video it may not work at all. This is because YouTube can reject embeding on their end.
If it is your video, you need to check if you have allowed embeding on the video you wish to use. If it is someone else’s then there’s a high chance that it doesn’t allowed to be embeded in the first place.
I works fine after I click reload. It’s just the first time landing on the page that it isn’t working which is bad if visitors land on my site and it doesn’t load. I suspect that script I mentioned in my first post is causing the widgets to not load.
Technically it shouldn’t because all it does is set a cookie then check that cookie if it is set.
The cookie’s name is called _test. Besides a GET parameter i is set so ?i=1.
Technically it shouldn’t break because many people have successfully embeded a YouTube video here without problems… If you ever wanted to share your URL people can help you better.
On the other hand if the “first time” you are talking about is before the security has fired then there’s absolutely no way to change that.
Thank you for your attention to this. My site is also proxied through cloudflare so is it possible that your cookie test and Cloudflare could be having a conflict with each other?
First of all, as a clarification, I’m not a staff.
Cloudflare could be the culprit. I thought that they have already fixed the issue though…
Can you please check what happens if you disable Cloudflare temporarily and see if the site works? If it works then it is a conflict and if it doesn’t then it’s something else.
Thank you. The problem is that the issue is intermittent. It doesn’t fail every time so I can’t be sure that no problem means the problem is fixed. But it has failed enough times that it isn’t just a one time fluke either. When it does fail it’s on the first visit but not every first visit fails.
I just opened Edge which I never use and visited my site for the first time ever using Edge. That was a first visit and it loaded just fine even with the cloudflare proxy still active.
When I say first visit I mean waiting several hours not visiting my site and coming back to it in a new private window.
I cannot imagine that either Cloudflare or our browser challenge script could cause a YouTube embed to break. In all cases, the page is just loaded by your browser and all code on it should execute normally.
The whole situation sounds like it could just be a race condition with some other code on your website. Like the YouTube embed widget not working because it has trouble finding the right size to use because the CSS is not loaded in, as one example.
However, it’s hard to say anything more specific without being able to reproduce the issue ourselves. At the very least, would you be willing to share your website URL so we can check it too?
The problem doesn’t seem to be related to InfinityFree. I was spooked by that obfuscated code and genuinely did not realize it was a legitimate browser validating thing, so that’s why I brought it here. But I was able to reproduce the problem on another web server so I’ve confirmed it’s not InfinityFree related. Just thought you guys would want to know.
I still haven’t solved the problem yet. What happens is that all of the iframe’s onload events are fired for the entire page. But the content does not load for any of the several youtube iframes. But it does load for the gofundme iframes.
So now I need a way to test whether the content has loaded or not so that JavaScript can reload the iframe content for all of the youtube iframes. I haven’t figured out how to do that yet since the onload event is fired whether the content loads or not.
There aren’t any race conditions so that’s not it. But it could be a badly behaving chrome extension.
You do you of course, but that seems like a dirty workaround to me. “Oh, the iframe sometimes doesn’t load, so let’s add some scripting to refresh it until it works” isn’t really solving the problem, it just paints over it.
I would try looking for an explanation as to why the YouTube embed isn’t working. Maybe there are errors in the browser console, maybe you can see what’s in the iframe in the cases where it doesn’t work.
Here is the error message in the console:
Unsafe attempt to load URL from frame with URL chrome-error://chromewebdata/. Domains, protocols and ports must match.
The culprit was a chrome extension called DuckDuckGo Search & Tracker Protection. When I disabled it the errors went away. I’m not even sure what that does besides set Duck Duck Go as my search engine, so I’m leaving it disabled.
Yes what I proposed earlier was a dirty solution. Before I found the actual culprit I set it up and it worked until I disabled my adblocker to see if that was the problem. The adblocker was apparently what was triggering the onload event when content failed to load, so without it it still failed, just without triggering an onload event which rendered my solution useless (without adding a timeout to it of course.)
Ah, DuckDuckGo seems to cause problems with a lot of google services (such as youtube)…
Glad you’ve got to the bottom of it 