Add google.TLD to Local NTP CSP |
|||||
Issue descriptionIf the interactive doodle iframe is from a TLD other .com it's blocked by our CSP. We should add all google.TLDs to the CSP, or maybe just the Google base URL?
,
Oct 25
Looks like we'll have to add https://*.google.* to the CSP. The response from ddljson isn't dependent upon the request address, https://www.google.com.sg/async/ddljson still returns data referencing google.com. Probably based on other request headers.
,
Oct 26
Huh, I thought we could just always serve Doodles from google.com. (Due to some unrelated recent-ish changes, the TLD actually has very little effect on anything.) Before making any changes to the CSP, I'd recommend reaching out to the Doodle folks to figure out if that's not the case anymore.
,
Oct 26
Does the ddljson API return absolute URLs using country TLDs? If so, I think that'd be a bug in ddljson, since it should just return google.com. However, maybe it actually returns relative URLs and Chrome resolves them against the ddljson base URL. In that case, the fix might need to be in Chrome. If you do end up changing the CSP, you probably want to check with Chrome security first.
,
Oct 26
Yeah, I can't reproduce ddljson returning anything but google.com. Another possibility is that the doodle somehow appeared expired and it redirected to the appropriate gallery url (https://www.google.TLD/doodles/something?doodle=1234).
,
Oct 26
Ah, read through some of this domainless stuff and tried various combinations of TLDs and sending '?gl=XX', which eliminated all my ideas. I'll investigate more / talk to the doodle team.
,
Oct 30
Testing with today's Halloween Doodle: navigating to 'http://www.google.com/async/ddljson?gl=mx' returns a ddljson with "fullpage_interactive_url":"https://www.google.com.mx/?fpdoodle\u003d1\u0026doodle\u003d73509581\u0026hl\u003des-419". So, looks like a bug in ddljson returning google.TLD.
,
Oct 30
,
Oct 30
,
Oct 30
Internal bug: b/118703697
,
Oct 31
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by kmilka@chromium.org
, Oct 25