End users using Google Chrome 64 and later will receive a blank page when going to YouTube when Notify pages are set up on ProxySG or ASG.
Browser: Google Chrome 64 or later
Appliance: ProxySG, ASG
Policy: Web Access Layer >>Source: any >> Dest: simple match: youtube.com >> Action: Notify Users
If you open developer tools and inspect the blank YouTube page the following message is visible:
Browser Error: Redirect from 'https://s.ytimg.com/...' to 'https://notify.bluecoat.com/...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.youtube.com' has therefore not allowed access.
This issue is present in the latest Chrome update that has more focus on security and privacy. One of the biggest changes introduced in this version of Chrome, relate directly to web site redirects which cross domains.
Due to the nature of CORS policy and how it relates to Notify Pages, this issue can be addressed with a minor modification to policy, without requiring any advanced config in the browser. Note: It is recommended that you do not disable features like 'CORS Policy' on a browser level, as typically they are in place to protect users. In Google's latest version of Chrome, it doesn't appear to be possible to disable this any longer.
The solution is simple, the redirect to YouTube from the notify page works without any issue. The problem surfaces in the request to YouTube's content server: ytimg.com. The simplest solution is to add a new rule in policy, directly above the existing notify rule, structured similar to:
Source: any >> Dest: simple-match: ytimg.com >> Action: none
The key to this rule, is ensuring you apply an Action of "none." This causes policy evaluation to match on the request to ytimg.com, and cease evaluating onwards to the Notify page rule below it. Since we are not redirecting to ytimg.com from our notify page, this is no longer a violation of CORS Policy, and the page will load as intended, after the user clicks through the Notify page.
Subscribing will provide email updates when this Article is updated. Login is required.