I have tried notifying the Citibank staff about this problem (customer message, and general feedback).  There's some chance that the message will get routed to the right people.

This doesn't appear to be a Citibank issue, or at least not beyond the use
of flash on the website.

The problem is specific to the combination of Chrome & a Chromebook.  Other
browsers and other platforms work fine, and the error message in the logs
reeks of a abuse-detection heuristic gone wrong.

Paul J. Ste. Marie | Bug Collector | pstemari@google.com | (425) 272-5757

Thank you Paul.  Albert, do we need to escalate this?

Adding more Flash-knowledgeable people to the conversation.

A major bank still using Flash as a primary component on their site is troubling, esp. given the effort Chrome team has been putting into getting people off of Flash.  

laforge@ do you know if anyone has reached out to Citibank? Even without this bug Flash dependencies mean that their customers on Chrome are going to have a bad time.

abodenha@, I am not a flash knowledgeable person - please find a more suitable owner. (I assume because I temporarily owned issue 866645 you may have thought so.)

Due to tracking/ abuse, we affirmatively block invisible/ tiny off origin Flash content (~90% of Flash usage was attributable to tracking and viewability).  This behavior has been present since June (1) of last year.

If this issue is specific to Chromebooks, it's likely that Citi is doing incorrect UA detection and putting ChromeOS down the Flash path.

Beyond outreach, which was done in comment #1, I don't foresee any additional changes to Chrome's behavior, particularly in light of the impending deprecation (2).  

(1) - https://www.chromium.org/flash-roadmap#TOC-PPS-Tiny---Remove-Un-sized-0x0-or-hidden-content-Exceptions-Target:-Chrome-59---June-2017-

(2) - https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html

#6 thanks.  I have tried to reach Citi in three ways (by voice just now) but I am not confident that this information will be made available to their technical staff.  (Citi: if you see this, please leave a note.)

The issue is definitely Chromebook-specific. When I load the site on Linux
the page doesn't appear to contain any Flash, although the center section
of the page is loaded dynamically.

Paul J. Ste. Marie | Bug Collector | pstemari@google.com | (425) 272-5757

I'm able to consistently reproduce this on m70.x and also called Citibank to notify.

I have no idea if this is related in any way, but I found #enable-experimental-web-platform-features breaks citi with the same error.

https://bugs.chromium.org/p/chromium/issues/detail?id=883725

I have tried multiple Chromebook models and got the same error described by semenzato@.  Chrome running on Macbook worked fine.  Incognito mode does not help either.  I called Citi support couple times and they have been blaming on Chromebooks.

This is a serious issue for me that deserves some attention.  How do I escalate?

A workaround might be to install a UA spoofer to pretend to not be a Chromebook:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en-US

I've attempted to spoof the UA using the devtools but the website is still broken. I think the problem is more than just the UA string

(ex. enable-experimental-web-platform-features is unrelated to the UA string.)

Does this deserve to be escalated?  I'll tentatively do that, but please downgrade if I am wrong.

Comment #6 contains the root cause, which suggests that this needs to be fixed by Citi.  Do we have other ways of reaching them?  My approach was earnest but weenie and probably not effective.

+1 - i'm not able to login to Citi account from Chromebook. Have no issues from Mac.

Are you sure this problem is on Citi's side and related to flash? I set the UA string to be:

"Mozilla/5.0 (X11; CrOS x86_64 10066.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"

and it still works on OS X and fails on Chrome OS. This might be a bug in Chrome.

The breakage appears to be the result of the use of a Flash widget that's
smaller than what the security provisions in Chrome find acceptable. On the
one side, you have Citibank's use of Flash, and on the other, Chrome's
refusal to display it.

Paul J. Ste. Marie | Bug Collector | pstemari@google.com | (425) 272-5757

pstemari, you keep blaming Flash but what is the evidence? Flash is no different on a Chromebook from Win, Mac, Linux.

The javascript console contains error messages stating that the flash
widget is too small, and the status bar contains a message stating that
Flash was blocked.

In the meantime the actual display has a big empty frame that appears to
want to use flash as its display area.

Paul J. Ste. Marie | Bug Collector | pstemari@google.com | (425) 272-5757

The only experiment I can think of is to use an old ChromeOS image (that used to work with Citibank) and see if it still works. But absent any Citibank test account nobody is going to debug this on the Chromium side. (And I personally recommend not to use a real account if you depend on the money in your account.)

it's not chromebook specific, same thing happens in a linux browser :

Google Chrome	70.0.3538.45 (Official Build) beta (64-bit)
Revision	cbdc32e4334458954e9def214d7e5fa1ca1960eb-refs/branch-heads/3538@{#830}
OS	Linux
JavaScript	V8 7.0.276.25

It was working fine a few months ago but I guess citibank changed something. I even complained hard enough that I wasn't able to make a payment online for my costco visa card and they gave me $30 credit.

or the constant push to upgrade caused a breaking change in some version of chrome, I want to say it was working pre v65, but not 100% sure

so for chrome i keep getting a flash plugin blocked warning and even if i enable it, it still keeps popping up. But the strange thing is that the website works fine in firefox 60.2.0esr (linux) and I don't have flash installed in that at all. So somehow citibank is detecting and trying to use flash when it shouldn't

i completely disabled flash in chrome, according to detectmybrowser.com flash isn't detected so now more puzzled

Tried it again today and it worked for me.  Chrome version is:

Google Chrome	71.0.3578.8 (Official Build) dev (64-bit)
Revision	a2c2b8f674ee3b7372bc87891e04a14a0e51e812-refs/branch-heads/3578@{#14}
Platform	11151.4.0 (Official Build) dev-channel eve
Firmware Version	Google_Eve.9584.174.0
Customization ID	GOOGLE-EVE
ARC	5067914
JavaScript	V8 7.1.302.2
Flash	31.0.0.122 /opt/google/chrome/pepper/libpepflashplayer.so
User Agent	Mozilla/5.0 (X11; CrOS x86_64 11151.4.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.8 Safari/537.36


Don't know what changed, but maybe it's fixed or getting closer?

confirmed, it's fixed in the latest linux beta :


Google Chrome	71.0.3578.20 (Official Build) beta (64-bit)
Revision	be2b6ea800808b865cd07ab76acf9e2a009c045a-refs/branch-heads/3578@{#254}
OS	Linux
JavaScript	V8 7.1.302.4
Flash	31.0.0.122 /home/sabujp/.config/google-chrome-beta/PepperFlash/31.0.0.122/libpepflashplayer.so
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.20 Safari/537.36