If the error is shown even you send the right header, check if you send the header perhaps twice. This is shown in the error-console below network and you click on any file.
Sending the header twice can happen if for the server
add_header X-XSS-Protection "1; mode=block";
is noted in two different include-files or one include-file is included twice.
Browsers or at least chrome is concatenating the two headers then internally and the applied WRONG rule is then, like shown in the question:
X-XSS-Protection: "1; mode=block, 1; mode=block"