Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CORB blocks Google Drive API calls in NW.js only
See original GitHub issueNWJS Version : 0.31.0+ (CORB was introduced in Chrome 67) Operating System : Windows 10 x64
In our software Construct 3, we use Google Drive’s API to save user’s projects to the cloud. However since CORB (Cross-Origin Read Blocking) was introduced in Chrome 67, Google Drive API are blocked by CORB, but only in NW.js. Chrome itself continues to work normally, and CORB only blocks the requests in NW.js.
The API calls fail and the following is logged to the console in NW.js indicating CORB blocked access (note this appears to only be logged if dev tools is open at the time the request is made):
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.googleapis.com/drive/v3/files?pageSize=1000&fields=... with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.
Previously we used the following Chromium command-line flags to disable CORB as advised here: --disable-features=CrossSiteDocumentBlockingAlways,CrossSiteDocumentBlockingIfIsolating
Unfortunately these flags were recently deleted as you can see in this commit: https://chromium.googlesource.com/chromium/src.git/+/fb46cf461915c156e955748431ce7f5127b54f4c
This means the CORB problem has started happening again in our NW.js app. We can successfully work around it again by using --disable-web-security, but this seems dangerous. We only want to disable CORB, not the entire same-origin security policy.
I don’t know why CORB only blocks the API calls only in NW.js. I tried making sure the user agent is identical to Chrome 71’s, but that didn’t help. I also tested a build of Chromium instead of Chrome; it worked, the same as Chrome, so it’s specifically NW.js and not Chromium. Perhaps there is some change in NW.js that affects CORB? Alternatively if this is too difficult to work out, perhaps NW.js could provide its own flag to disable CORB? According to the previously linked commit, there is an is_corb_enabled flag that is set to false when --disable-web-security is passed; presumably an NW.js flag could do the same.
Google Drive is a major feature of our app - if we can’t find a solution we will be forced to use --disable-web-security which I’d prefer to avoid if at all possible.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@rogerwang Ashley’s probably busy but I’m a Construct 3 user, so here are the steps to reproduce:
@rogerwang - confirmed 0.35.1 now works. Thanks for the quick fix!