By default, VMware Horizon employs the XSS (cross-site scripting) Filter feature to mitigate cross-site scripting attacks by sending the header x-xss-protection=1; mode=block in its HTTP responses.

You can disable this feature by adding the following entry to the file locked.properties:
x-xss-protection=OFF