Amphtml: amp-consent sandbox iframe lacks the 'allow-same-origin' flag.
Please only file reports about bugs in AMP here.
What's the issue?
The sandboxed iframe created by amp-consent for promptUISrc doesnt seem to have the allow-same-origin flag.
when loading the iframe which has our cmp script, we are encountering the following error in the console:
Uncaught DOMException: Failed to read the 'cookie' property from 'Document': The document is sandboxed and lacks the 'allow-same-origin' flag.
This was working until recently. I've tried using older versions of browsers on desktop/mobile and browserstack, and turning off the sameSite restrictions in chrome://flags. So this rules out browser issues.
How do we reproduce the issue?
point promptUISrc to the an html file hosted on the same domain hosting the amp page. below is the barebones example to reproduce.
amp_page.html:
<!doctype html>
<html amp lang="en">
<head>
<script async src="https://cdn.ampproject.org/v0.js"></script>
<script async custom-element="amp-consent" src="https://cdn.ampproject.org/v0/amp-consent-0.1.js"></script>
</head>
<body>
<amp-consent id='consent' layout='nodisplay'>
<script type="application/json">
{
"consentRequired": true,
"consentInstanceId": "test",
"promptUISrc": "./promptUISrc.html",
"clientConfig": {}
}
</script>
</amp-consent>
</body>
</html>
I've also tried to host promptUISrc.html on a diff domain/subdomain as well with no luck.
promptUISrc.html:
<html><header><script type="text/javascript">
let x = document.cookie;
</script></header>
<body>hello world</body></html>
Please provide a public URL and ideally a reduced test case (e.g. on jsbin.com) that exhibits only your issue and nothing else. Provide step-by-step instructions for reproducing the issue:
the above is the barebones to test this.
What browsers are affected?
all browsers, even older versions.
Which AMP version is affected?
AMP_CONFIG.v = 012006180239002
This seems to be a new issue within the last week. It was definitely working on June 25th when I demoed an implementation. I believe our QA team also verified near the end of last week(i think maybe july 1 or 2) before the long weekend. Maybe it wasn't fully released at that time yet so QA didn't see this issue.
vyoungnyc
All 6 comments
We're experiencing the same.
This commit fixes the issue but it's still in beta: https://github.com/ampproject/amphtml/pull/29061/files
Any chance of including it in a cherry pick release?
Many thanks!
oscarmarimrf
on 8 Jul 2020
@zhouyx @jasti @micajuine-ho The fix here for allow-same-origin needs to go out: https://github.com/ampproject/amphtml/pull/29061
This issue is preventing us from obtaining consent and serving ads to all new EU users to our properties.
It is also stopping return EU users from managing their consent settings.
hrkhal
on 8 Jul 2020
@oscarmarimrf @hrkhal Have you verified the fix in beta. We skipped release last week. I have filed a cherrypick request #29196
zhouyx
on 8 Jul 2020
@zhouyx I have tested that the fix works. I pulled master and used the Local Amp extension to confirm that the fix worked for our properties.
hrkhal
on 8 Jul 2020
@zhouyx I've confirmed the fix on our properties. Thank you.
hrkhal
on 9 Jul 2020
Apology for the breakage. Glad to hear it's fixed! Thanks for the update. Closing the issue
zhouyx
on 9 Jul 2020
Related issues
cvializ
路
3Comments
westonruter
路
3Comments
jpettitt
路
3Comments
torch2424
路
3Comments
samanthamorco
路
3Comments
Most helpful comment
Apology for the breakage. Glad to hear it's fixed! Thanks for the update. Closing the issue