Blank Page returned for YouTube when using Chrome browser with Notify pages enabled on ProxySG or ASG

book

Article ID: 171282

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

End users using Google Chrome 64 and later will receive a blank page when going to YouTube when Notify pages are set up on ProxySG or ASG.

If you open developer tools and inspect the blank YouTube page the following message is visible:

Browser Error:  Redirect from 'https://s.ytimg.com/...' to 'https://notify.bluecoat.com/...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.  Origin 'https://www.youtube.com' has therefore not allowed access.

Cause

This issue is present in the latest Chrome update that has more focus on security and privacy.  One of the biggest changes introduced in this version of Chrome, relate directly to web site redirects which cross domains. 

Environment

Browser:  Google Chrome 64 or later

Host/Client:  Any

Appliance:  ProxySG, ASG

Policy:  Web Access Layer  >>  Source:  any >> Dest:  simple match: youtube.com >> Action:  Notify Users

Resolution

Due to the nature of CORS policy and how it relates to Notify Pages, this issue can be addressed with a minor modification to policy, without requiring any advanced config in the browser.  Note: It is recommended that you do not disable features like 'CORS Policy' on a browser level, as typically they are in place to protect users.  In Google's latest version of Chrome, it doesn't appear to be possible to disable this any longer.

The solution is simple, the redirect to YouTube from the notify page works without any issue.  The problem surfaces in the request to YouTube's content server: ytimg.com.  The simplest solution is to add a new rule in policy, directly above the existing notify rule, structured similar to:

Source:  any  >>  Dest:  simple-match: ytimg.com  >>  Action:  none

The key to this rule, is ensuring you apply an Action of "none."  This causes policy evaluation to match on the request to ytimg.com, and cease evaluating onwards to the Notify page rule below it.  Since we are not redirecting to ytimg.com from our notify page, this is no longer a violation of CORS Policy, and the page will load as intended, after the user clicks through the Notify page.