New issue
Advanced search Search tips

Issue 907018 link

Starred by 14 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression

Blocking:
issue 905971



Sign in to add a comment

Fonts/Videos not loading - blocked by CORS restrictions

Reported by pcgo...@gmail.com, Nov 20

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3616.0 Safari/537.36

Example URL:
https://www.youtube.com

Steps to reproduce the problem:
1. Go to https://www.youtube.com
2. Check console for errors

What is the expected behavior?
Fonts and videos work correctly

What went wrong?
All CORS requests to Google domains are blocked with messages like:
Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response.

This happens for fonts, youtube video files, etc. loaded from Google domains on all sites using those files.

CORS protections should probably (and most likely did before?) ignore the "x-client-data" header if it's automatically added.

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? Yes 72.0.3614.0

Does this work in other browsers? Yes

Chrome version: 72.0.3616.0  Channel: canary
OS Version: 10.0
Flash Version:
 
Can confirm, no YouTube videos are loading for me.

Oddly enough, if I go incognito, the videos load just fine.
Labels: Needs-Bisect Needs-Triage-M72
Cc: yhirano@chromium.org
Components: -Blink Blink>SecurityFeature>CORS Blink>Loader
Owner: toyoshim@chromium.org
Status: Assigned (was: Unconfirmed)
Cc: viswa.karala@chromium.org
Labels: -Type-Bug -Pri-2 -Needs-Bisect hasbisect-per-revision Triaged-ET RegressedIn-64 Target-70 Target-71 Target-72 FoundIn-72 M-72 FoundIn-71 FoundIn-70 OS-Linux OS-Mac Pri-1 Type-Bug-Regression
Able to reproduce the issue on reported version 72.0.3616.0(with #out-of-blink-cors flag enabled) using Mac 10.12.6, Ubuntu 14.04 and Windows-10, hence providing Bisect Info

Note: With default chrome settings unable to reproduce the issue on chrome reported version and on #72.0.3614.0. But, with "#out-of-blink-cors" flag enabled able to reproduce the issue on reported version and on #72.0.3614.0. On enabling "out-of-blink-cors" flag in chrome://flags, able to play the YouTube video in earlier chrome versions, hence providing below bisect range and change-log by enabling "out-of-blink-cors" flag.

Bisect Info:
================
Good build: 64.0.3256.0
Bad build: 64.0.3257.0

You are probably looking for a change made after 513424 (known good), but no later than 513425 (first known bad).
https://chromium.googlesource.com/chromium/src/+log/aa8a267bcfcd8a454b57c69012c6c95c6f612d22..b463fdc0bafb4e9e3a1da7f78a7fad74ebf0e06b
Change-Id: I2ff7af8dc54cf1c519e9c0b44478dace80b8f155
Reviewed-on: https://chromium-review.googlesource.com/735242

@Takashi Toyoshima: Please confirm the issue and help in re-assigning if it is not related to your change.

Thanks!	
Blocking: 905971
Cc: toyoshim@chromium.org
 Issue 907261  has been merged into this issue.
Labels: -RegressedIn-64 -FoundIn-70 -Target-70 -Target-71 -FoundIn-71
Status: Started (was: Assigned)
This is a known issue that happens only when the experimental feature, OutOfBlinkCors, is enabled. So, let me remove *-70 and *-71 labels.

Since we are running a field trial and trying to enable it on m72, I will keep *-72 flags.

I already work on a fix.
If you open any site and open console from dev tools, you will see that some parts of the web site are blocked by CORS Policy.
Same, Youtube nor fabebook videos are loading for me.
Project Member

Comment 10 by bugdroid1@chromium.org, Nov 22

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2141c235865db17d233f727b9d4303dafb324d31

commit 2141c235865db17d233f727b9d4303dafb324d31
Author: Takashi Toyoshima <toyoshim@chromium.org>
Date: Thu Nov 22 05:44:03 2018

OOR-CORS: Make VariationsHttpHeadersBrowserTest pass with kOutOfBlinkCORS

Chrome internally uses X-Client-Data header, and this should not
triggers CORS preflight request.

TBR=jochen@chromium.org

Bug: 870173,  907018 
Change-Id: I67f1711b9065223f9e174e207980940e175031e9
Reviewed-on: https://chromium-review.googlesource.com/c/1335076
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610313}
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/chrome/common/google_url_loader_throttle.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/renderer/loader/web_url_loader_impl.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/content/renderer/pepper/url_request_info_util.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/public/cpp/network_ipc_param_traits.h
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/public/cpp/resource_request.h
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/services/network/url_loader.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/public/platform/web_url_request.h
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/exported/web_url_request.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/loader/fetch/resource_request.cc
[modify] https://crrev.com/2141c235865db17d233f727b9d4303dafb324d31/third_party/blink/renderer/platform/loader/fetch/resource_request.h

Status: Fixed (was: Started)
Probably 72.0.3618.0 will pick up this fix.
Cc: phanindra.mandapaka@chromium.org
 Issue 907606  has been merged into this issue.
 Issue 907652  has been merged into this issue.
Cc: susan.boorgula@chromium.org
 Issue 907942  has been merged into this issue.
 Issue 907953  has been merged into this issue.
Labels: TE-Verified-M72 TE-Verified-72.0.3619.0
Able to reproduce the issue on chrome version build with out fix.
Verified the fix on Mac 10.12.6, Windows-10 and Ubuntu 17.10 using Chrome version #72.0.3619.0 as per the comment #0.
Attaching screencast for reference.
Observed "YouTube videos works correctly with #out-of-blink-cors flag default and enabled"
Hence, the fix is working as expected. 
Adding the verified labels.

Thanks...!!
907018.mp4
3.9 MB View Download
 Issue 908465  has been merged into this issue.

Sign in to add a comment