Investigation so far:

"Origin" is generally not sent with GET requests [1]. (Though there should be some exception for CORS requests, maybe we can make use of that somehow?)

"Referer" should be sent and is mostly equivalent for our purposes, but apparently Blink generally only ever sends http(s) referrers [2].

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.cpp?rcl=fc198dd968c55bc2af42f70a1b427bd088d345f3&l=454
[2] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/weborigin/KURL.cpp?rcl=5646f547e03f79baf219ab6465ceb9cc0740b36c&l=139

This is required for launching interactive Doodles on the local NTP.

I don't think this can be solved solely with NTP changes, we'll probably need to do something on the Doodle team's side.

To address some of the points in c1:

The origin IS sent with cross-origin requests, but the request for the fpdoodle page isn't sent as a cross origin request, it's simply a GET request for the page. It's only identified as cross-origin when the browser attempts to render it in the iframe, at which point X-FRAME-OPTIONS is already SAME-ORIGIN.

The proper way to fix this would be to set the iframe's referrerPolicy = "origin", but the referrer is stripped out by Blink due to not being http(s).

Some other options:

Set frame-ancestors: 'chrome-search"//local-ntp/' in the fpdoodle's CSP.  I don't see a CSP for the fpdoodle page currently, I guess it'd be the same as google.com's.

Send an XHR GET request for the url, something like:

function ddlHandler() {                                                   
   console.log("readyState:", this.readyState);                           
   if (this.readyState === this.DONE && this.status == 200) {                                    
     var data_url = URL.createObjectURL(this.response);                  
     $(IDS.LOGO_DOODLE_IFRAME).src = data_url;                                                              
   }                                                                       
};                                                                        
var xhr = new XMLHttpRequest();                                           
xhr.open('GET', targetDoodle.metadata.fullPageUrl);                       
xhr.onreadystatechange = ddlHandler;                                               
xhr.send();

Currently these requests are blocked with the error 'blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource'. Adding the header shouldn't be too difficult but I'm not sure using the data url would preserve the relative links which was the point of iframing to begin with.              

Maybe we can get Blink to not strip the referrer in this case? It'd require quite a bit of plumbing (some sort of "client" or "delegate" interface, or maybe it can be added to an existing one), but it might be the cleanest solution.

Some notes (mainly for myself): need to investigate further but so far it looks the like check here[1] fails, while KURL::StrippedForUseAsReferrer() doesn't affect the chrome-search:// scheme. Though even bypassing both checks fails to send the referrer.

[1] https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/weborigin/security_policy.cc?l=110

We've added the local ntp to frame-ancestors in fpdoodle's CSP, b/117123566.  Once the change is live I'll verify that everything works correctly.

Is this really fixed? Today's video doodle is still blocked in Chrome Canary + Local NTP flag.

Deleted: Screenshot (4).png 64.5 KB

	Screenshot (4).png 64.5 KB View Download

Thanks for the report!

That's a separate issue, the NTP is refusing to iframe google pages with a TLD other than .com . Added  crbug.com/898945  to track it.