New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 863411 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 10
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Bug
M70



Sign in to add a comment

Cannot change avatar picture from NTP

Project Member Reported by droger@chromium.org, Jul 13

Issue description

* Set an avatar picture
* Try to change it from the NTP (see video)


There was an error!
Details:
Invalid origin value.

I can also see this in the Chrome log:

[180483:180483:0713/161913.381317:ERROR:CONSOLE(0)] "Failed to load https://play.google.com/log?format=json&authuser=0: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://play.google.com' that is not equal to the supplied origin. Origin 'chrome-search://local-ntp' is therefore not allowed access.", source: chrome-search://local-ntp/local-ntp.html (0)
[180483:180483:0713/161913.776543:ERROR:CONSOLE(0)] "Invalid 'X-Frame-Options' header encountered when loading 'https://docs.google.com/picker?protocol=iframes&origin=chrome-search%3A%2F%2Flocal-ntp&profilePhoto=true&hostId=og&actions=loaded&thumbs=30-c%2C96-c&hl=en&authuser=0&st=000770F20366BE8E35B90585E989FFA7B2B063A75F2DC80981%3A%3A1531491549034&nav=((%22upload%22%2Cnull%2C%7B%22query%22%3A%22profile%22%7D)%2C(%22photos%22)%2C(%22photos%22%2Cnull%2C%7B%22type%22%3A%22ofuser%22%7D))&message=undefined&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.yK0z3MKtgaU.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo-SafOYj4n3budMysbWxppU-lxJeg#rpctoken=448057538&_methods=_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart&id=I1_1531491553630&_gfid=I1_1531491553630&parent=chrome-search%3A%2F%2Flocal-ntp&pfname=': 'ALLOW-FROM chrome-search://local-ntp' is not a recognized directive. The header will be ignored.", source: chrome-search://local-ntp/local-ntp.html (0)
 
out.ogv
1.1 MB View Download
Cc: tangltom@chromium.org msarda@chromium.org
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 27

Cc: droger@chromium.org jlebel@chromium.org ew...@chromium.org sabineb@chromium.org bsazonov@chromium.org
Status: Available (was: Untriaged)
--Chrome Identity automated triaging--

This bug is Untriaged and has gone for two weeks without any activity, so it is being moved to Available. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: yyushkina@chromium.org
I'm not able to repro this on Canary (when I click the avatar to change it, it brings up the regular dialogue to upload another photo, pick another photo, etc.)

David, are you still repro'ing this? What version of Chrome were you running? Is this an identity issue or an NTP issue?
Owner: yyushkina@chromium.org
I can still repro with Chromium (trunk) on Linux.
I have not tried with Canary.

I think it's a problem with that Web UI and CSP.


Owner: ----
Cc: ramyan@chromium.org
Components: -UI>Browser>Profiles UI>Browser>NewTabPage
Changing the component to NewTabPage, since I don't think this is a Profiles/SignIn issue.
Ramya - is this something for the One Google bar team?
Labels: zine-triaged
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Thanks for filing this - it looks like it's limited to the Local NTP, which uses a special version of the One Google Bar. I've filed b/112048257 to track that internally with the One Google team.
Labels: M70
Cc: kmilka@chromium.org
This might have been the cause: https://bugs.chromium.org/p/chromium/issues/detail?id=797461#c43

+kmilka FYI, since you're looking at b/112048257
Cc: rdevlin....@chromium.org karandeepb@chromium.org
+karandeepb, since I suspect this may have something to do with https://crrev.com/c/1026996. 

It looks like that change added some necessary security restrictions. Can you help us figure out how to support the getting the profile data without breaking the restrictions for extensions? Thanks!
I'm not sure https://crrev.com/c/1026996 would have affected this - it only hides requests from extensions, and shouldn't affect any other security restrictions.  droger@, if you can still repro on trunk, could you try reverting https://crrev.com/c/1026996 and seeing if that fixes the issue?  (I suspect not, but it's certainly possible!)
Labels: NTPOGB
Owner: kmilka@chromium.org
Status: Assigned (was: Available)
I tried checking out the commit landed right before https://crrev.com/c/1026996 and get the same errors, same with Chrome versions 63.0.3203.0 and 65.0.3283.0.
Another possible CSP problem with the OGB, not sure if it should be a separate bug.
I have seen the following errors after signing into Chrome:

[194004:194004:0822/105314.311490:ERROR:CONSOLE(0)] "Access to XMLHttpRequest at 'https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://notifications.google.com/u/0/_/idv2&followup=https://notifications.google.com/u/0/_/idv2&authuser=0' (redirected from 'https://notifications.google.com/u/0/_/idv2') from origin 'https://notifications.google.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://notifications.google.com/u/0/widget?sourceid=243&hl=en&origin=chrome-search%3A%2F%2Flocal-ntp&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.bSfaJ330ulQ.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9ETX0ujNe7X7enovCK61wuo61HKQ%2Fm%3D__features__#pid=243&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1534927993743&_gfid=I0_1534927993743&parent=chrome-search%3A%2F%2Flocal-ntp&pfname=&rpctoken=16872062 (0)

[194004:194004:0822/105314.315304:ERROR:CONSOLE(0)] "Access to XMLHttpRequest at 'https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://notifications.google.com/u/0/_/NotificationsOgbUi/idv/&followup=https://notifications.google.com/u/0/_/NotificationsOgbUi/idv/&authuser=0' (redirected from 'https://notifications.google.com/u/0/_/NotificationsOgbUi/idv/') from origin 'https://notifications.google.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://notifications.google.com/u/0/widget?sourceid=243&hl=en&origin=chrome-search%3A%2F%2Flocal-ntp&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.bSfaJ330ulQ.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9ETX0ujNe7X7enovCK61wuo61HKQ%2Fm%3D__features__#pid=243&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1534927993743&_gfid=I0_1534927993743&parent=chrome-search%3A%2F%2Flocal-ntp&pfname=&rpctoken=16872062 (0)
Cc: nyerramilli@chromium.org rbasuvula@chromium.org
 Issue 880235  has been merged into this issue.
Labels: Target-71
Status: Fixed (was: Assigned)
This should be fixed now. Probably move c17 to a new bug if we're still seeing that issue.
Labels: Needs-Feedback
droger@: Can you confirm that the issue in comment 17 still occurs for you? (I cannot repro in M69 Stable or M71 Canary). Thanks!

Sign in to add a comment