Modification of request header collection causes video stream issues

[Jonas-Axelsson]

• What version of the product are you using? CefSharp 85.3.130 from Nuget, with custom built CEF from branch 4183 using the following flags:

  • is_component_build=false
  • proprietary_codecs=true
  • ffmpeg_branding=Chrome

• What architecture x86 or x64? x64

• On what operating system? Win10

• Are you using WinForms, WPF or OffScreen? WPF

• What steps will reproduce the problem? Our client/server-based application uses an internal CefSharp WPF browser (client side) in tandem with an internal proxy (server side) to display web pages in an embedded fashion. For our purposes we need to attach custom headers with every web request. We have been able to do this successfully in the past (CefSharp 79.x.xxx) using the IResourceRequestHandler.OnBeforeResourceLoad method.

  We recursively update the CefSharp packages after every major update, but during this cycle we encountered unusual issues; Test runs with a freshly updated CefSharp (v85.3.130 + custom CEF build as described in the version info above) showed that certain video streams no longer loaded or played in the browser at all. Specifically videos in the YouTube encoding standard (H264 video and AAC audio) which we should have proper support for.

  We traced the issue back to the IResourceRequestHandler.OnBeforeResourceLoad method, if we modify the header collection here (using either the newer IRequest.SetHeaderByName or the traditional overwriting of the IRequest.Headers collection with a modified one) the video streams malfunction as described above. If we remove the addition of custom headers, all video streams work as expected again, but sadly our application needs these custom headers to function correctly, and they have to be added before the request leaves the CefSharp browser (i.e. before they reach our internal proxy).

  (We tested to see if the name of the headers added matter, but they do not, as long as we add anything to the header collection at this stage the video streams malfunction.)

  Since our application is company intellectual property we sadly cannot provide extensive code samples, we can however cover the main areas that concern CefSharp (The OnBeforeResourceLoad method does nothing except add 2 custom headers and then return CefReturnValue.Continue):

  Initialisation of CefSharp and all browser instances:

CefSettings settings = new CefSettings
{
    CachePath = cachePath,
    WindowlessRenderingEnabled = true,
    MultiThreadedMessageLoop = true,
    ExternalMessagePump = false
};

settings.CefCommandLineArgs.Add("enable-npapi");
settings.CefCommandLineArgs.Add("enable-media-stream");
settings.CefCommandLineArgs.Add("allow-universal-access-from-files");
settings.SetOffScreenRenderingBestPerformanceArgs();

Cef.Initialize(settings);

chromiumWebBrowser = new ChromiumWebBrowser
{
    SnapsToDevicePixels = true,
    RequestHandler = requestHandler,
    DownloadHandler = downloadHandler,
    MenuHandler = menuHandler,
    AllowDrop = true,
    LifeSpanHandler = lifeSpanHandler,
    KeyboardHandler = keyboardHandler,
    BrowserSettings = new BrowserSettings
    {
        FileAccessFromFileUrls = CefState.Enabled,
        Javascript = CefState.Enabled,
        JavascriptAccessClipboard = CefState.Enabled,
        JavascriptDomPaste = CefState.Enabled,
        UniversalAccessFromFileUrls = CefState.Enabled,
        WebGl = CefState.Enabled,
        JavascriptCloseWindows = CefState.Enabled
    }
};

• What is the expected output? What do you see instead? Functioning video streams for the encoding options we support and the ability to add custom headers. Instead some of those streams never start, seemingly 'buffering' forever (seems to only happen to H264/AAC streams), as long as custom headers are added in the OnBeforeResourceLoad stage.

• Please provide any additional information below. The CEF log (debug.log) seems to contain nothing relevant:

  • [1109/104324.625:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104324.625:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104324.719:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxK.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104324.757:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9fBBc4.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104324.988:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/ytsans/v10/46kqlb3ta3zqoJU2dbvnb0Jg0g.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104324.988:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc4.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/ (0)
  • [1109/104328.096:INFO:CONSOLE(0)] "The resource https://i.ytimg.com/generate_204 was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it has an appropriate as value and it is preloaded intentionally.", source: https://www.youtube.com/ (0)
  • [1109/104329.337:INFO:CONSOLE(8570)] "observer method collapsedChange_ not defined", source: https://www.youtube.com/s/desktop/d8cf988e/jsbin/desktop_polymer_inlined_html_polymer_flags.vflset/desktop_polymer_inlined_html_polymer_flags.js (8570)
  • [1109/104329.358:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5aauxax-0hxe.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=397&aitags=133%2C134%2C135%2C136%2C137%2C160%2C242%2C243%2C244%2C247%2C248%2C278%2C394%2C395%2C396%2C397%2C398%2C399&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=video%2Fmp4&gir=yes&clen=1738146&dur=39.998&lmt=1600687745572217&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Caitags%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRgIhAK9oJxy78lqljopf8HyWeJWNPBWJ9fVAb73phFZb56iPAiEA9hZWFZYVBmh7dcv5uYDri9cSlijg2lrFh2R92hmuAz8%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&range=0-129743&rn=1&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.361:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5aauxax-0hxe.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=251&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=audio%2Fwebm&gir=yes&clen=500773&dur=40.021&lmt=1568060572342935&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRgIhANO9Ealrzx_pYk6N8nKN2VVgRg0aJeum8Al0HdgJS9tyAiEAlN2lok5XP6BwOonvNOEUDiKqBZMd7fyuqUmNGIwYtps%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&range=0-65884&rn=2&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.415:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5goeen7y.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=251&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=audio%2Fwebm&gir=yes&clen=500773&dur=40.021&lmt=1568060572342935&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRgIhANO9Ealrzx_pYk6N8nKN2VVgRg0aJeum8Al0HdgJS9tyAiEAlN2lok5XP6BwOonvNOEUDiKqBZMd7fyuqUmNGIwYtps%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&fallback_count=1&range=0-348&rn=4&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.415:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5goeen7y.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=397&aitags=133%2C134%2C135%2C136%2C137%2C160%2C242%2C243%2C244%2C247%2C248%2C278%2C394%2C395%2C396%2C397%2C398%2C399&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=video%2Fmp4&gir=yes&clen=1738146&dur=39.998&lmt=1600687745572217&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Caitags%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRgIhAK9oJxy78lqljopf8HyWeJWNPBWJ9fVAb73phFZb56iPAiEA9hZWFZYVBmh7dcv5uYDri9cSlijg2lrFh2R92hmuAz8%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&fallback_count=1&range=0-839&rn=3&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.461:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5goeen7y.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=396&aitags=133%2C134%2C135%2C136%2C137%2C160%2C242%2C243%2C244%2C247%2C248%2C278%2C394%2C395%2C396%2C397%2C398%2C399&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=video%2Fmp4&gir=yes&clen=978055&dur=39.998&lmt=1600687242529046&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Caitags%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRQIgAt2PiAuYblwGjJrdCSrmLtyc29-RxWjbS-MzEABM1JICIQCXUWmO9nUkqjNwEEB23fhcmtKlLGlA12FsNVfQLGsYHw%3D%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&fallback_count=1&range=0-839&rn=5&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.536:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'https://r3---sn-5aauxax-0hxe.googlevideo.com/videoplayback?expire=1604936612&ei=RA-pX5fZB4KP7ASu05yQCw&ip=195.60.68.148&id=o-AJaY4Ts2u3uF6M7x5A3VxNQFYce2YpzcGPCddUGXWc69&itag=396&aitags=133%2C134%2C135%2C136%2C137%2C160%2C242%2C243%2C244%2C247%2C248%2C278%2C394%2C395%2C396%2C397%2C398%2C399&source=youtube&requiressl=yes&mh=Qw&mm=31%2C29&mn=sn-5aauxax-0hxe%2Csn-5goeen7y&ms=au%2Crdu&mv=m&mvi=3&pl=23&initcwndbps=5978750&vprv=1&mime=video%2Fmp4&gir=yes&clen=978055&dur=39.998&lmt=1600687242529046&mt=1604914832&fvip=3&keepalive=yes&c=WEB&txp=5531432&sparams=expire%2Cei%2Cip%2Cid%2Caitags%2Csource%2Crequiressl%2Cvprv%2Cmime%2Cgir%2Cclen%2Cdur%2Clmt&sig=AOq0QJ8wRQIgAt2PiAuYblwGjJrdCSrmLtyc29-RxWjbS-MzEABM1JICIQCXUWmO9nUkqjNwEEB23fhcmtKlLGlA12FsNVfQLGsYHw%3D%3D&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=AG3C_xAwRAIgeptW5HzPHo1OdTon-dbIQofYwIAQ2YG5_QOanfj1Ig0CICgzKKB1XTcxcQJVb5loVC9zv_Sn501c_zWgz_hvRrVW&alr=yes&cpn=sEWHHOwZJuZfQGfn&cver=2.20201105.01.01&range=0-839&rn=6&rbuf=0' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104329.915:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu7GxKOzY.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)
  • [1109/104330.015:INFO:CONSOLE(0)] "Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu7GxKOzY.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field acs-request-id is not allowed by Access-Control-Allow-Headers in preflight response.", source: https://www.youtube.com/watch?v=B3EBs7sCOzo (0)

• Does this problem also occur in the CEF Sample Application No,

[amaitland]

CefSharp 85.3.130 from Nuget, with custom built CEF from branch 4183 using the following flags

Does the problem reproduce if you use the Nuget package unmodified?

We traced the issue back to the IResourceRequestHandler.OnBeforeResourceLoad method, if we modify the header collection here (using either the newer IRequest.SetHeaderByName or the traditional overwriting of the IRequest.Headers collection with a modified one) the video streams malfunction as described above.

Sounds like a bug in CEF, I'd suggest moving the conversation to https://magpcss.org/ceforum/viewforum.php?f=18 and posting a link back here for reference.

It's important to remember that CefSharp is just one of many Chromium Embedded Framework(CEF) wrappers.

[Jonas-Axelsson]

Does the problem reproduce if you use the Nuget package unmodified?

Just tested this with a pure NuGet v85.3.130 and yes the issue reproduces for us in the same way.

Sounds like a bug in CEF, I'd suggest moving the conversation to https://magpcss.org/ceforum/viewforum.php?f=18 and posting a link back here for reference.

Alright, we will repost the issue over in the CEF forums, thanks for a quick reply!

[amaitland]

Just tested this with a pure NuGet v85.3.130 and yes the issue reproduces for us in the same way.

Great, that at least eliminates your custom build 👍

Can you provide a link to a YouTube video that reliably reproduces the problem?

• an internal proxy (server side) to display web pages in an embedded fashion

Are you able to test without using a proxy?

[Jonas-Axelsson]

Sadly when trying to create a forum account in order to post, no activation email is sent/received (have double checked address and spam folder). All help sections related to account activation mentions contacting an administrator, but while searching for ways to contact an administrator all we have found were more login screens...

Can you provide a link to a YouTube video that reliably reproduces the problem?

When testing, any front page video seems to produce the issue, but here is a specifik link that had the issue for sure: https://www.youtube.com/watch?v=_TYRa6vxxb0

Are you able to test without using a proxy?

The application has two kinds of web views, those who route via the proxy and those who don't. We have mainly tried to solve this issue in web views that do not route via the proxy to eliminate it as the cause, so the proxy should not be a factor.

[amaitland]

Sadly when trying to create a forum account in order to post, no activation email is sent/received (have double checked address and spam folder). All help sections related to account activation mentions contacting an administrator, but while searching for ways to contact an administrator all we have found were more login screens...

This may take a little while. If you still have problem see https://bitbucket.org/chromiumembedded/cef/issues/3019/unable-to-get-an-activation-email-from (there's an email address you can contact)

The application has two kinds of web views, those who route via the proxy and those who don't. We have mainly tried to solve this issue in web views that do not route via the proxy to eliminate it as the cause, so the proxy should not be a factor.

Have you attempted to recreate the problem in isolation?

• Clone/Fork https://github.com/cefsharp/CefSharp.MinimalExample
• Add a RequestHandler/ResourceRequestHandler handler that sets some headers
• Load Youtube and confirm the problem reproduces in isolation

[Jonas-Axelsson]

This may take a little while. If you still have problem see https://bitbucket.org/chromiumembedded/cef/issues/3019/unable-to-get-an-activation-email-from (there's an email address you can contact)

These apparently got stuck in the company email protection service and we weren't notified until today, but we are now good to continue to post on the CEF forums.

Have you attempted to recreate the problem in isolation?

An isolated test run in the minimal example is a good idea, we will attempt to reproduce the issue there before posting on the CEF forum.

[Jonas-Axelsson]

Just built and modified the minimal example with a equally minimal ResourceRequestHandler (adds a single custom header to each request). This does indeed reproduce the issue!

private const string RequestIdHeader = "CustomHeader";

public CefReturnValue OnBeforeResourceLoad(IWebBrowser chromiumWebBrowser, IBrowser browser, IFrame frame, IRequest request, IRequestCallback callback)
{
    request.SetHeaderByName(RequestIdHeader, Guid.NewGuid().ToString(), true);

    return CefReturnValue.Continue;
}

This indicates that the issue does indeed lie within CEF. We will move on to post in the forum now, including details of the test with the minimal example.

Update: Forum post approved: https://www.magpcss.org/ceforum/viewtopic.php?f=18&t=17981&e=0

[Krisell]

You write that the log contains nothing relevant, but couldn't blocked requests to googlevideo.com/videoplayback and more be highly relevant?

I'm not certain it's the same issue, but I recently reported a similar problem to another OSS project that adds custom headers using CefSharp. The custom headers causes plain GET-requests to no longer be classified as "simple" (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) which triggers a preflight request (HTTP verb OPTIONS), asking for "permission" to perform the actual request. The googlevideo API might not expect any preflights to be made, since it serves basic GET-requests from its own domain.

Here's my bug report on the other project: https://github.com/SafeExamBrowser/seb-win-refactoring/issues/46

[Jonas-Axelsson]

I did not previously notice the videoplayback part of the blocked request earlier while skimming over the logs for info, but now that you mention it that does indeed sound plausible, thank you for the additional information!

The main expertise area of the team lies outside of network/web development (we had no prior knowledge about CORS or the concept of pre-flight requests for example), therefore we sadly have little additional insight to share.

We will add this information to the CEF-forum ticket for reference.

[amaitland]

Makes sense now, I wasn't aware youtube was making CORS requests to load it's content. CORS is much stricter than it was in version 79. The Chromium Site Isolation project in particular kicked off a lot of new restrictions.

A quick test with disable-web-security and youtube would appear to load a video as expected. So basically confirming this is a CORS issue. (Don't do this in production, just for testing purposes).

As per https://www.magpcss.org/ceforum/viewtopic.php?f=18&t=17981&e=0#p47441 avoiding adding additional headers to websites that are outside of your control is the suggested course of action.

Closing now as there doesn't appear to be anything actionable from a CefSharp point of view.

[DrabanL]

@amaitland it seems like with latest version (v86.0.241), even with disable-web-security (WebSecurity = CefState.Disabled), videos would not load if custom header has been injected with request.SetHeaderByName.

can you verify?

EDIT:

"disable-web-security" flag must be enabled (regardless of CefSettings WebSecurity value) CefCommandLineArgs.Add("disable-web-security", "1")

[amaitland]

even with disable-web-security (WebSecurity = CefState.Disabled),

You'll need to use the command line arg as you've found out. The property behaves differently and I'm expecting it will be removed from CEF in the not too distant future, see https://bitbucket.org/chromiumembedded/cef/issues/3058/remove-cefbrowsersettingsweb_security