Origin is "not allowed" for given client ID when origin was added
Note: My site is in production mode, not testing. It is pending verification due to me adding an icon. This issue persisted before the verification was started.
Whenever my browser makes a request to Google for the one-tap widget or the pill, both requests return 400 Bad Request with an empty HTML page and the console is sent a message stating "The given origin is not allowed for the given client ID." I've gone onto the Google Cloud Console and checked my origins. I have only one listed, and it's the exact site I'm sending requests from my browser. My site also has its traffic proxied through Cloudflare if that makes a difference. In addition, I am using JavaScript callbacks (which work when used in PI#1).
Potential issue #1: The URLs are typed in wrong
When I insert localhost (I add https and http because I test with a HTTPS webserver locally using a Cloudflare origin certificate), the requests go through perfectly. However, the moment the requests are from my browser when it's not localhost, the requests fail. I've copied and pasted straight from the URL bar just to make sure that there's no typos or anything but the same results return.
Potential issue #2: The widget is making bad requests
I do open the URLs in other tabs (Which yield the same results from PI#1) and insert bogus URLs like example.com and thisisnotaurl.com to ensure it's not just dropping every request. Those requests return 403 Forbidden instead of 400 Bad Request.
Potential issue #3: The issue is browser specific
I've checked this issue on both Firefox and Microsoft Edge, both on the stable branches and completely up to date. I've disabled my ad block (UBlock Origin & Firefox built-in protection) to ensure they aren't messing with requests but everything except the crucial requests fail with 400 Bad Request. I have yet to test other browsers as I do not have them installed but I assume the same results come from them.
An example of the code can be found here: https://gist.github.com/totallytavi/772ea25b16f3fa0b6b0e04739a1689dd.
The origins shown below are the exact website I am accessing. In addition, I've verified the client IDs are exactly the same as the ones I have added
Referrer Policy is improperly configured
The HTTP header Referrer-Policy controls the exact amount of data sent to servers regarding the origin of the request. In most cases, this is set to same-origin which means that the Referer header will send the origin to servers with the same origin.
Consider you have a webserver at example.com and another at web.example.com with a Referrer-Policy of same-origin. When example.com sends a request to web.example.com, the Referer header will contain the origin of the request, since it is the same origin. However, if example.com sends a request to google.com, the Referer header will not send any origin data, as google.com and example.com are not the same origin.
If we look at the requests, this directive is what we see
As such, we need to update the directive to allow the browser to send the origin in the Referer header. This can be done by inserting the following into the HTML of the current page.
<meta name="referrer" content="origin">
This meta tag will allow the browser to send the origin only to other webservers, and as such, Google will see the origin.
Consider the example above again. This time, when example.com sends a request to google.com, the request will contain a Referer header with the origin, as the directive allows for sharing of the origin. However, with this current policy, only the origin is sent, not the query parameters and other parts of the URL. With the following URL: https://example.com/test/123, google.com will only see https://example.com. The MDN Web Docs contain all the possible values and their effects.
- Google Cloud Platform: SSH to Google cloud instance will have "Permission denied (publickey)"
- Unable to assign iam.serviceAccounts.signBlob permission
- how to disable soft delete from a GCS bucket
- GCP load balancer 502 server error and "backend_connection_closed_before_data_sent_to_client" IIS 10
- Duplicate events in Eventarc triggered Google Cloud Run service
- Extract a string value from a JSON field in GCP log analytics
- GitLab LDAP Authentication Issues (SSL_connect, user auth)
- I got this error when i try to SignIN[GSI_LOGGER-TOKEN_CLIENT]: The OAuth token was not passed to gapi.client - Flutter,GoogleSignIn
- How to Setup Different Maintenance windows for Node Pools Within the Same GKE
- Understanding customer and service producer VPC networks in Private Service Access
- Why is BigQuery so slow on non-large data sizes?
- Is it possible to identify who triggered a GCB build?
- GCP - How do you create a URL Redirect path rule with gcloud url-maps?
- "Unsupported service account" errors from gcloud when deploying --gen2 functions with --build-service-account
- How to decode Google CloudEvent data?
- How to connect to GCP VM instance with password using SSH?
- testing google sheet editor addon fails with error 403
- Google Cloud SQL connection to flutter
- New Trace and Span Generated even after using TraceId and SpanID from Remote Context
- I can't get Future to complete with a value
- Connecting to Endpoint API on Android Client
- Post Count not updating in firebase react
- Previously successful Cloud Run Service & Job deploy process with resource level IAM grants not working anymore for certain projects
- "Deadline" error when embedding video with Google Vertex AI multimodal embedding modal
- Firebase function deployment timing out
- Deploying to GCP App Engine from terminal produces contradictory error messages
- Stripe Error: No signatures found matching the expected signature for payload
- Firestore .where + Filter.and queries not working
- How to use Google Cloud Firestore local emulator for python and for testing purpose
- How to serialize a ComputeRoutesResponse