New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 924333 link

Starred by 1 user

Issue metadata

Status: Unconfirmed
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug

Blocking:
issue 846346



Sign in to add a comment

Cross-Origin Read Blocking is too aggressive in v73

Reported by kurtext...@gmail.com, Today (7 hours ago)

Issue description

Chrome Version       : 73.0.3673.0 and 73.0.3679.0 
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari:
    Firefox:
       Edge:

What steps will reproduce the problem?
(1) Download extension: https://github.com/kurtextrem/Youtube-Description-For-Gmail/blob/master/src/contentscript.js (https://chrome.google.com/webstore/detail/youtube-description-for-g/embohholcgoomfkcgighhokmnpebcoel)
(2) Goto Gmail, open a YT notification. Or do a fetch from Gmail to e.g. "https://www.youtube.com/attribution_link?a=FJ9IAUmE84_jgMoD&u=/watch%3Fv%3DWYPpjM0RyyM%26feature%3Dem-uploademail"
(3) Look at the dev tools

What is the expected result?
Request isn't blocked


What happens instead?
Request is blocked, with the message "Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.youtube.com/watch?v=5-yQkP5O_1o&feature=em-uploademail with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details."
("https://www.youtube.com/attribution_link?a=FJ9IAUmE84_jgMoD&u=/watch%3Fv%3DWYPpjM0RyyM%26feature%3Dem-uploademail" is forwarded to "https://www.youtube.com/watch?v=5-yQkP5O_1o&feature=em-uploademail")

Please provide any additional information below. Attach a screenshot if
possible.

This didn't happen in v72. I'm pretty sure it worked in v73.0.3664.3.
 

Comment 1 by lukasza@chromium.org, Today (6 hours ago)

Blocking: 846346
Cc: rdevlin....@chromium.org
Components: Platform>Extensions Internals>Sandbox>SiteIsolation
Owner: lukasza@chromium.org
Thank you very much for the report!  This is quite likely related to https://chromium.org/Home/chromium-security/extension-content-script-fetches.  I'll try to take a closer look today or tomorrow - most likely we will need to land a CL that adds this extension to the "allowlist".

kurtextrem@, could you please confirm that things work fine when Chrome is launched with the following cmdline flag: --disable-features=BypassCorbOnlyForExtensionsAllowlist
If this doesn't help, then can you also help me understand the repro steps better, by explaining in more detail what you mean by "open a YT notification"?

Comment 2 by lukasza@chromium.org, Today (6 hours ago)

Labels: -Pri-3 Target-73 Pri-1

Comment 3 by lukasza@chromium.org, Today (6 hours ago)

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows

Sign in to add a comment