#180 File upload on classroom.google.com broken

Closed
opened 2 weeks ago by PinkDev1 · 6 comments
PinkDev1 commented 2 weeks ago

Version information and more: https://pastebin.com/Y6vYSuqT

How to replicate:
Go to classroom.google.com
Select class
Select pending assigment
Add or create -> File
Get following pop-up: https://i.imgur.com/aKLdc19.jpg

After that pops-up, you can't interact with the page in any way. Some animations still work, but you're pretty much forced to reload.

It's pretty weird, because adding an exception for classroom.google.com doesn't seem to fix the issue (nor, enabling Filter-HTML). However, the website works nicely when I completely disable LocalCDN.
On DevConsole->Network, there's no difference beetwen loading the page with LocalCDN On/Off (⊙_⊙;)

Without LocalCDN the browser console throws no (relevant) error.
With LocalCDN enabled, the following error pops up 4 times (with varying "parameters"), before displaying an indefinite ammount of varying uncaught errors.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.gstatic.com/_/picker/_/js/k=picker.opms.es.202bjJe2xTc.O/am=EA/d=0/ct=zgms/rs=AGshSGMw0BjnWi0H0j2rOfTQh-KFvBQt9Q/m=sy21,uiNkee,K99qY,Jdbz6e,Mq9n0c,uGhL7d,eSRHqc,O6y8ed,MtdDwc,HqHEue,PwNT6,X5SV6b,kb0Hd,sy6,OR2UYd,Qxnz7b,A0O7S. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Version information and more: https://pastebin.com/Y6vYSuqT How to replicate: Go to classroom.google.com Select class Select pending assigment Add or create -> File Get following pop-up: https://i.imgur.com/aKLdc19.jpg After that pops-up, you can't interact with the page in any way. Some animations still work, but you're pretty much forced to reload. It's pretty weird, because adding an exception for classroom.google.com doesn't seem to fix the issue (nor, enabling Filter-HTML). However, the website works nicely when I completely disable LocalCDN. On DevConsole->Network, there's no difference beetwen loading the page with LocalCDN On/Off `(⊙_⊙;)` Without LocalCDN the browser console throws no (relevant) error. With LocalCDN enabled, the following error pops up 4 times (with varying "parameters"), before displaying an indefinite ammount of varying uncaught errors. ` Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.gstatic.com/_/picker/_/js/k=picker.opms.es.202bjJe2xTc.O/am=EA/d=0/ct=zgms/rs=AGshSGMw0BjnWi0H0j2rOfTQh-KFvBQt9Q/m=sy21,uiNkee,K99qY,Jdbz6e,Mq9n0c,uGhL7d,eSRHqc,O6y8ed,MtdDwc,HqHEue,PwNT6,X5SV6b,kb0Hd,sy6,OR2UYd,Qxnz7b,A0O7S. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). `
Poster

Possible duplicate of #179.

Please try disabling "strip metadata from allowed requests".
(Or, if you want to keep "strip metadata from allowed requests" enabled, consider downgrading to 2.5.6 and disable automatic update for LocalCDN.)

Possible duplicate of #179. Please try disabling "strip metadata from allowed requests". (Or, if you want to keep "strip metadata from allowed requests" enabled, consider downgrading to 2.5.6 and disable automatic update for LocalCDN.)
nobody commented 1 week ago
Poster
Owner

Testing by disabling strip metadata from allowed requests can also be done with v2.5.7 😉

Testing by disabling `strip metadata from allowed requests` can also be done with v2.5.7 😉
nobody commented 1 week ago
Poster
Owner

@PinkDev1: Have you already tested it? (Should be fixed with v2.5.9)

@PinkDev1: Have you already tested it? (Should be fixed with v2.5.9)
PinkDev1 commented 1 week ago
Poster

@nobody Whoops, Codeberg's emails were being sent to my spam folder :p
Nope, issue persists in v2.5.9
Yes, disabling Strip metadata from allowed requests makes the website work again :)

Until a cleaner fix can be done, I'd suggest adding an option to add a modifiable exception list to that specific feature

@nobody Whoops, Codeberg's emails were being sent to my spam folder :p Nope, issue persists in v2.5.9 Yes, disabling `Strip metadata from allowed requests` makes the website work again :) Until a cleaner fix can be done, I'd suggest adding an option to add a modifiable exception list to that specific feature
Poster

I think 2.5.9 will disable strip metadata from allowed requests if a site is whitelisted. If you activate the first switch in popup, classroom.google.com will be whitelisted and strip metadata from allowed requests for that site will also be disabled.
(In previous versions, even if a site is whitelisted, strip metadata from allowed requests will not be disabled.)

But is wildcard supported? e.g. How can you whitelist google.com and all subdomains like forms.google.com, docs.google.com, etc.?

I also wish that there can be a more advanced exception list. Not only for strip metadata but also for individual frameworks.
Suppose a website calls 5 frameworks but 1 of them has SOP/CORS problem. It would be nice if I can tell LocalCDN to allow that specific framework on that specific domain, instead of completely disabling LocalCDN on that website.

I think 2.5.9 will disable `strip metadata from allowed requests` if a site is whitelisted. If you activate the first switch in popup, `classroom.google.com` will be whitelisted and `strip metadata from allowed requests` for that site will also be disabled. (In previous versions, even if a site is whitelisted, `strip metadata from allowed requests` will not be disabled.) But is wildcard supported? e.g. How can you whitelist `google.com` and all subdomains like `forms.google.com`, `docs.google.com`, etc.? I also wish that there can be a more advanced exception list. Not only for `strip metadata` but also for individual frameworks. Suppose a website calls 5 frameworks but 1 of them has SOP/CORS problem. It would be nice if I can tell LocalCDN to allow that specific framework on that specific domain, instead of completely disabling LocalCDN on that website.
nobody added the
duplicate
label 1 week ago
nobody commented 1 week ago
Poster
Owner

[Duplicate of #179]


@PinkDev1:

Yes, disabling Strip metadata from allowed requests makes the website work again

Okay, then we know that it is caused by the missing metadata.


@fyjzjj3yva:

I think 2.5.9 will disable strip metadata from allowed requests if a site is whitelisted. If you activate the first switch in popup, classroom.google.com will be whitelisted and strip metadata from allowed requests for that site will also be disabled.
(In previous versions, even if a site is whitelisted, strip metadata from allowed requests will not be disabled.)

Exactly, that's the context I forgot in my comment above.

is wildcard supported?

No, wildcards are not supported. It is also not planned at the moment.

I also wish that there can be a more advanced exception list. Not only for strip metadata but also for individual frameworks.

I understand that, but I don't see a use case for it yet. If a website uses a strict SOP, this applies to all JavaScript and/or CSS files. If you only need to load a single file from a CDN (for whatever reason), you can load the other stuff from there as well. From the point of view of privacy, it doesn't matter in this case anyway, because the CDN knows you.

[Duplicate of #179] --- @PinkDev1: > Yes, disabling Strip metadata from allowed requests makes the website work again Okay, then we know that it is caused by the missing metadata. --- @fyjzjj3yva: > I think 2.5.9 will disable strip metadata from allowed requests if a site is whitelisted. If you activate the first switch in popup, classroom.google.com will be whitelisted and strip metadata from allowed requests for that site will also be disabled. > (In previous versions, even if a site is whitelisted, strip metadata from allowed requests will not be disabled.) Exactly, that's the context I forgot in my comment above. > is wildcard supported? No, wildcards are not supported. It is also not planned at the moment. > I also wish that there can be a more advanced exception list. Not only for strip metadata but also for individual frameworks. I understand that, but I don't see a use case for it yet. If a website uses a strict SOP, this applies to all JavaScript and/or CSS files. If you only need to load a single file from a CDN (for whatever reason), you can load the other stuff from there as well. From the point of view of privacy, it doesn't matter in this case anyway, because the CDN knows you.
nobody closed this issue 1 week ago
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.