Huppys
commented
5 years ago I'm facing the exact same errors. Are you sitting behind any kind of proxy?
Closed phistuck closed 4 years ago
Huppys
commented
5 years ago I'm facing the exact same errors. Are you sitting behind any kind of proxy?
phistuck
commented
5 years ago @Huppys - no, but this seems fixed for me at the moment (Chrome canary 73.0.3630.0).
I guess Chrome improved its algorithm for sending those x-client-data headers to not send them in CORS-sensitive requests.
khambadkone
commented
5 years ago I'm seeing this same problem all of a sudden with Version 76.0.3809.100 (Official Build) (64-bit).
The pages render fine when opened with Incognito
phistuck
commented
5 years ago @khambadkone - can you paste the errors from the console of the Developer Tools?
khambadkone
commented
5 years ago For example, on accessing https://firebase.google.com/support/troubleshooter/report/bugs/
we see the following :
Access to fetch at 'https://fonts.gstatic.com/s/materialicons/v48/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2' from origin 'https://firebase.google.com' has been blocked by CORS policy: Request header field pragma is not allowed by Access-Control-Allow-Headers in preflight response.
5The FetchEvent for "
phistuck
commented
5 years ago I cannot reproduce (I tried F5, Control+F5, disabling cache in the Developer Tools...), but anyway, the Firebase documentation is off topic for the Web Fundamentals repository...
erickertz
commented
4 years ago For what its worth, Im seeing this same issue with
Version 76.0.3809.132 (Official Build) (64-bit)
It's happening for a few sites, including all of the examples listed in this issue.
phistuck
commented
4 years ago @erickertz - do you get the exact error that @khambadkone mentioned (pragma, not x-client-data)?
Does it reproduce in incognito mode as well? (If not, an extension that you use might be adding this header)
khambadkone
commented
4 years ago Akamai's chrome plugin for testing their CDN was causing my issue. On disabling it, the site loaded fine
On Wed, 28 Aug, 2019, 6:45 PM PhistucK, notifications@github.com wrote:
@erickertz https://github.com/erickertz - do you get the exact error that @khambadkone https://github.com/khambadkone mentioned (pragma, not x-client-data)?
Does it reproduce in incognito mode as well? (If not, an extension that you use might be adding this header)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/google/WebFundamentals/issues/6881?email_source=notifications&email_token=AAP4WUWORK4GYJP472K4U4DQGZ26PA5CNFSM4GGH3YB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5LCOOI#issuecomment-525739833, or mute the thread https://github.com/notifications/unsubscribe-auth/AAP4WUSBCMRJEXKA4LFQH5TQGZ26PANCNFSM4GGH3YBQ .
erickertz
commented
4 years ago @phistuck @khambadkone it was the Akamai plugin causing the issue for me as well. Thanks!
Page Affected: https://developers.google.com/web/updates/2017/10/using-twa
What needs to be done? The fonts are blocked, so the page looks like this -
I guess Chrome 72 sends an
x-client-dataHTTP header to Google related entities, which results in many CORS related errors (fixable by allowing that header, I guess) -Access to font at 'https://fonts.gstatic.com/s/googlesans/v9/4UaGrENHsxJlGDuGo1OIlL3Owp4.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. 4UaGrENHsxJlGDuGo1OIlL3Owp4.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOmCnqEu92Fr1Mu4mxK.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOlCnqEu92Fr1MmEU9fBBc4.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/materialicons/v41/flUhRq6tzZclQEJ-Vdg-IuiaDsNc.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. flUhRq6tzZclQEJ-Vdg-IuiaDsNc.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc4.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOlCnqEu92Fr1MmWUlfBBc4.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOkCnqEu92Fr1Mu51xIIzI.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOkCnqEu92Fr1Mu51xIIzI.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/robotomono/v5/L0xkDF4xlVMF-BfR8bXMIjC4iGqxf78.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. L0xkDF4xlVMF-BfR8bXMIjC4iGqxf78.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/robotomono/v5/L0x5DF4xlVMF-BfR8bXMIjhLq38.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. L0x5DF4xlVMF-BfR8bXMIjhLq38.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/robotomono/v5/L0xkDF4xlVMF-BfR8bXMIjDwjmqxf78.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. L0xkDF4xlVMF-BfR8bXMIjDwjmqxf78.woff2:1 Failed to load resource: net::ERR_FAILED using-twa:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2' from origin 'https://developers.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2:1 Failed to load resource: net::ERR_FAILED TCgT8dzSiU8?autohide=1&showinfo=0&enablejsapi=1:1 Access to XMLHttpRequest at 'https://googleads.g.doubleclick.net/pagead/id' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. googleads.g.doubleclick.net/pagead/id:1 Failed to load resource: net::ERRFAILED using-twa:1 Access to XMLHttpRequest at 'https://ogs.google.com/u/0//og/botguard/get?rt=j&sourceid=331' from origin 'https://developers.google.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ogs.google.com/u/0/_/og/botguard/get?rt=j&sourceid=331:1 Failed to load resource: net::ERR_FAILED content.min.js:2 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details. (anonymous) @ content.min.js:2 TCgT8dzSiU8?autohide=1&showinfo=0&enablejsapi=1:1 Access to XMLHttpRequest at 'https://googleads.g.doubleclick.net/pagead/id' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. googleads.g.doubleclick.net/pagead/id:1 Failed to load resource: net::ERRFAILED apis.google.com/u/0//widget/render/comments?usegapi=1&href=https%3A%2F%2Fdevelopers.google.com%2Fweb%2Fupdates%2F2017%2F10%2Fusing-twa&width=805&first_party_property=BLOGGER&view_type=FILTEREDPOSTMOD&hl=en&origin=https%3A%2F%2Fdevelopers.google.com&search=&hash=&gsrc=3p&jsh=m%3B%2F%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.CUp85wbT4DI.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo-XBQda2DFvo9hxbj_dGnCV84SJMA%2Fm%3Dfeatures#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Cscroll%2Copenwindow&id=I0_1543165255252&_gfid=I0_1543165255252&parent=https%3A%2F%2Fdevelopers.google.com&pfname=&rpctoken=28904081:1 Active resource loading counts reached a per-frame limit while the tab was in background. Network requests will be delayed until a previous loading finishes, or the tab is brought to the foreground. See https://www.chromestatus.com/feature/5527160148197376 for more details content.min.js:2 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details. (anonymous) @ content.min.js:2 content.min.js:2 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details. (anonymous) @ content.min.js:2 TCgT8dzSiU8?autohide=1&showinfo=0&enablejsapi=1:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOmCnqEu92Fr1Mu4mxK.woff2:1 Failed to load resource: net::ERRFAILED apis.google.com/u/0//widget/render/comments?usegapi=1&href=https%3A%2F%2Fdevelopers.google.com%2Fweb%2Fupdates%2F2017%2F10%2Fusing-twa&width=805&first_party_property=BLOGGER&view_type=FILTEREDPOSTMOD&hl=en&origin=https%3A%2F%2Fdevelopers.google.com&search=&hash=&gsrc=3p&jsh=m%3B%2F%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.CUp85wbT4DI.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo-XBQda2DFvo9hxbj_dGnCV84SJMA%2Fm%3Dfeatures#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Cscroll%2Copenwindow&id=I0_1543165255252&_gfid=I0_1543165255252&parent=https%3A%2F%2Fdevelopers.google.com&pfname=&rpctoken=28904081:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2' from origin 'https://apis.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOmCnqEu92Fr1Mu4mxK.woff2:1 Failed to load resource: net::ERRFAILED apis.google.com/u/0//widget/render/comments?usegapi=1&href=https%3A%2F%2Fdevelopers.google.com%2Fweb%2Fupdates%2F2017%2F10%2Fusing-twa&width=805&first_party_property=BLOGGER&view_type=FILTEREDPOSTMOD&hl=en&origin=https%3A%2F%2Fdevelopers.google.com&search=&hash=&gsrc=3p&jsh=m%3B%2F%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.CUp85wbT4DI.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo-XBQda2DFvo9hxbj_dGnCV84SJMA%2Fm%3Dfeatures#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Cscroll%2Copenwindow&id=I0_1543165255252&_gfid=I0_1543165255252&parent=https%3A%2F%2Fdevelopers.google.com&pfname=&rpctoken=28904081:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc4.woff2' from origin 'https://apis.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOlCnqEu92Fr1MmWUlfBBc4.woff2:1 Failed to load resource: net::ERRFAILED apis.google.com/u/0//widget/render/comments?usegapi=1&href=https%3A%2F%2Fdevelopers.google.com%2Fweb%2Fupdates%2F2017%2F10%2Fusing-twa&width=805&first_party_property=BLOGGER&view_type=FILTEREDPOSTMOD&hl=en&origin=https%3A%2F%2Fdevelopers.google.com&search=&hash=&gsrc=3p&jsh=m%3B%2F%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.CUp85wbT4DI.O%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo-XBQda2DFvo9hxbj_dGnCV84SJMA%2Fm%3Dfeatures#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Cscroll%2Copenwindow&id=I0_1543165255252&_gfid=I0_1543165255252&parent=https%3A%2F%2Fdevelopers.google.com&pfname=&rpctoken=28904081:1 Access to font at 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2' from origin 'https://apis.google.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2:1 Failed to load resource: net::ERR_FAILED TCgT8dzSiU8?autohide=1&showinfo=0&enablejsapi=1:1 Access to XMLHttpRequest at 'https://googleads.g.doubleclick.net/pagead/id' from origin 'https://www.youtube.com' has been blocked by CORS policy: Request header field x-client-data is not allowed by Access-Control-Allow-Headers in preflight response. googleads.g.doubleclick.net/pagead/id:1 Failed to load resource: net::ERR_FAILED