X-XSS-Protection false positive?

Question

I encounter a strange behavior with my webapp into safari (no problem at all with FF).

The code is pretty simple :

• I have a form which contains some checkboxes.
• I click on the submit button, which send the data via POST to the same page, in which a PHP script writes a cookie
• then, PHP reloads the same page with header("Location:index.php");

Unfortunately, I get the following error with Safari :

"Refused to execute a JavaScript script. Source code of script found within request."

The page does NOT send javascript or URL or other malicious code. It just POST datas from a form. So, how could I avoid this ? Could anyone explain why safari tells me I want to execute javascript code ? (Of course, adding "header("X-XSS-Protection: 0");" in top of the page fixes the problem. But I'm not very happy with this kind of countermeasure...)

This is some relevant parts of the code (simplified):

<?php
if(@$_POST["foo"] == "yes"){
    $choice = join("-", $_POST["choice"]);
    setcookie("bar",$choice, time()+900000);
    header("Location:index.php");
    }
?>


<form method="post" action="index.php">
<input type="hidden" name="foo" value="yes">
<p><input type='checkbox' name='choice[]' value='foo'> foo</p>
<p><input type='checkbox' name='choice[]' value='bar'> bar</p>
<p><input type='checkbox' name='choice[]' value='baz'> baz</p>
<input type="submit">
</form>

Thanks in advance for your responses !

EDIT :

• I strongly suspect a bug in my favourite version of Safari (5) since the code is working perfectly in safari 6 (ML), firefox and chrome.
• Putting the setcookie section on the top of the page and call "exit" right after header("location:") doesn't fix the problem.
• Even if I put the setcookie in a separate PHP script and reload the page from within this new page, I got the same error in safari 5.

As requested by silverlightfox, here are some screenshots of the http response headers of the 2 pages :

Answer 1

After setting the Location header, you should make a call to exit.

This will prevent any more processing of your page, and the rest of the response will not be sent to the browser (the HTML content will still be sent, even though you are redirecting if you do not call exit).

• php - Should I call exit() after calling Location: header?
• Why I have to call 'exit' after redirection through header('Location..') in PHP?

My guess is that there is output of an unencoded parameter somewhere in your page (not present in your code snippet in your question). View the page output to see if your HTML content is inadvertently generating any JavaScript code in the HTTP response body after the redirect header is sent.