Fonts/Videos not loading - blocked by CORS restrictions
Reported by
pcgo...@gmail.com,
Nov 20
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3616.0 Safari/537.36 Example URL: https://www.youtube.com Steps to reproduce the problem: 1. Go to https://www.youtube.com 2. Check console for errors What is the expected behavior? Fonts and videos work correctly What went wrong? All CORS requests to Google domains are blocked with messages like: Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. This happens for fonts, youtube video files, etc. loaded from Google domains on all sites using those files. CORS protections should probably (and most likely did before?) ignore the "x-client-data" header if it's automatically added. Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? Yes 72.0.3614.0 Does this work in other browsers? Yes Chrome version: 72.0.3616.0 Channel: canary OS Version: 10.0 Flash Version:
,
Nov 20
,
Nov 21
,
Nov 21
Able to reproduce the issue on reported version 72.0.3616.0(with #out-of-blink-cors flag enabled) using Mac 10.12.6, Ubuntu 14.04 and Windows-10, hence providing Bisect Info Note: With default chrome settings unable to reproduce the issue on chrome reported version and on #72.0.3614.0. But, with "#out-of-blink-cors" flag enabled able to reproduce the issue on reported version and on #72.0.3614.0. On enabling "out-of-blink-cors" flag in chrome://flags, able to play the YouTube video in earlier chrome versions, hence providing below bisect range and change-log by enabling "out-of-blink-cors" flag. Bisect Info: ================ Good build: 64.0.3256.0 Bad build: 64.0.3257.0 You are probably looking for a change made after 513424 (known good), but no later than 513425 (first known bad). https://chromium.googlesource.com/chromium/src/+log/aa8a267bcfcd8a454b57c69012c6c95c6f612d22..b463fdc0bafb4e9e3a1da7f78a7fad74ebf0e06b Change-Id: I2ff7af8dc54cf1c519e9c0b44478dace80b8f155 Reviewed-on: https://chromium-review.googlesource.com/735242 @Takashi Toyoshima: Please confirm the issue and help in re-assigning if it is not related to your change. Thanks!
,
Nov 21
,
Nov 21
,
Nov 21
This is a known issue that happens only when the experimental feature, OutOfBlinkCors, is enabled. So, let me remove *-70 and *-71 labels. Since we are running a field trial and trying to enable it on m72, I will keep *-72 flags. I already work on a fix.
,
Nov 21
If you open any site and open console from dev tools, you will see that some parts of the web site are blocked by CORS Policy.
,
Nov 22
Same, Youtube nor fabebook videos are loading for me.
,
Nov 22
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2141c235865db17d233f727b9d4303dafb324d31 commit 2141c235865db17d233f727b9d4303dafb324d31 Author: Takashi Toyoshima <toyoshim@chromium.org> Date: Thu Nov 22 05:44:03 2018 OOR-CORS: Make VariationsHttpHeadersBrowserTest pass with kOutOfBlinkCORS Chrome internally uses X-Client-Data header, and this should not triggers CORS preflight request. TBR=jochen@chromium.org Bug: 870173, 907018 Change-Id: I67f1711b9065223f9e174e207980940e175031e9 Reviewed-on: https://chromium-review.googlesource.com/c/1335076 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#610313} [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/chrome/common/google_url_loader_throttle.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/browser/loader/resource_dispatcher_host_impl.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/renderer/loader/web_url_loader_impl.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/renderer/pepper/url_request_info_util.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/public/cpp/network_ipc_param_traits.h [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/public/cpp/resource_request.h [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/url_loader.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/public/platform/web_url_request.h [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/exported/web_url_request.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/loader/fetch/resource_request.cc [modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/loader/fetch/resource_request.h
,
Nov 22
Probably 72.0.3618.0 will pick up this fix.
,
Nov 22
,
Nov 22
Issue 907652 has been merged into this issue.
,
Nov 23
,
Nov 23
Issue 907953 has been merged into this issue.
,
Nov 23
Able to reproduce the issue on chrome version build with out fix. Verified the fix on Mac 10.12.6, Windows-10 and Ubuntu 17.10 using Chrome version #72.0.3619.0 as per the comment #0. Attaching screencast for reference. Observed "YouTube videos works correctly with #out-of-blink-cors flag default and enabled" Hence, the fix is working as expected. Adding the verified labels. Thanks...!!
,
Dec 5
Issue 908465 has been merged into this issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by hlvehe...@gmail.com
, Nov 20