CORB blocks Google Drive API calls in NW.js only

[AshleyScirra]

NWJS Version : 0.31.0+ (CORB was introduced in Chrome 67)
Operating System : Windows 10 x64

In our software Construct 3, we use Google Drive's API to save user's projects to the cloud. However since CORB (Cross-Origin Read Blocking) was introduced in Chrome 67, Google Drive API are blocked by CORB, but only in NW.js. Chrome itself continues to work normally, and CORB only blocks the requests in NW.js.

The API calls fail and the following is logged to the console in NW.js indicating CORB blocked access (note this appears to only be logged if dev tools is open at the time the request is made):
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.googleapis.com/drive/v3/files?pageSize=1000&fields=... with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

Previously we used the following Chromium command-line flags to disable CORB as advised here: --disable-features=CrossSiteDocumentBlockingAlways,CrossSiteDocumentBlockingIfIsolating

Unfortunately these flags were recently deleted as you can see in this commit: https://chromium.googlesource.com/chromium/src.git/+/fb46cf461915c156e955748431ce7f5127b54f4c

This means the CORB problem has started happening again in our NW.js app. We can successfully work around it again by using --disable-web-security, but this seems dangerous. We only want to disable CORB, not the entire same-origin security policy.

I don't know why CORB only blocks the API calls only in NW.js. I tried making sure the user agent is identical to Chrome 71's, but that didn't help. I also tested a build of Chromium instead of Chrome; it worked, the same as Chrome, so it's specifically NW.js and not Chromium. Perhaps there is some change in NW.js that affects CORB? Alternatively if this is too difficult to work out, perhaps NW.js could provide its own flag to disable CORB? According to the previously linked commit, there is an is_corb_enabled flag that is set to false when --disable-web-security is passed; presumably an NW.js flag could do the same.

Google Drive is a major feature of our app - if we can't find a solution we will be forced to use --disable-web-security which I'd prefer to avoid if at all possible.

[rogerwang]

Thanks for reporting. Perhaps that's because NW app is using chrome-extensions protocol by default. Could you please provide a reproduce?

I'll look to fix it.

[TheRealDannyyy]

@rogerwang Ashley's probably busy but I'm a Construct 3 user, so here are the steps to reproduce:

1. Download and unzip Construct 3 Desktop
2. Run Construct3.exe
3. Click on the cloud button
4. Click on the service selector and select "Google Drive" (Google account login required)
5. Notice error: "Failed to refresh file list"

[rogerwang]

Ref #6871

[rogerwang]

This is fixed in git and will be available in the next nightly build.

[TheRealDannyyy]

Can't reproduce this issue using the latest nightly build. Seems to be fixed in nw.js v0.35.1.
Construct 3 desktop needs to be updated, once that version goes live I guess.

[rogerwang]

@TheRealDannyyy thanks for verification.

[AshleyScirra]

@rogerwang - confirmed 0.35.1 now works. Thanks for the quick fix!