Drive Picker Fails today with incorrect origin

[Darren D'Mello]

I have the following ode, that was working fine for over years. Today all of a sudden many users started complaining that they werent able to load the Drive picker

This is what I saw today (Image attached)

var picker = new google.picker.PickerBuilder()

.enableFeature(google.picker.Feature.MULTISELECT_ENABLED)

.enableFeature(google.picker.Feature.SUPPORT_DRIVES)

.setSelectableMimeTypes('application/vnd.google-apps.document,application/vnd.google-apps.folder,application/vnd.openxmlformats-officedocument.wordprocessingml.document')

.addView(docsView)

.addView(docsViewSharedDrive)

.addView(uploadView)

.hideTitleBar()

.setSize(DIALOG_DIMENSIONS.width - 2, DIALOG_DIMENSIONS.height - 2)

.setOAuthToken(token)

.setCallback(pickerCallbackChoose)

.setOrigin(google.script.host.origin)

.build();

Any suggestion please?

[Alan Wells]

Since the error msg states something about the origin,

I'm assuming that the error is related to the following line of code:

.setOrigin(google.script.host.origin)

I'm guessing that the google picker is designed to test for whether

the picker window, and the window that launched the picker have the same origin.

I believe that this is to avoid cross browser security issues between open tabs, like

code injection attacks coming from a different browser tab to execute malicious code.

From the error msg we don't know whether the issue is from the browser, the Google picker, a Google document or Apps Script, or a service error.

You could test your app from different browsers to determine whether it's a browser specific problem.

If the Google picker code, and Apps Script code related to the picker haven't changed, then I'd guess

that it's more likely to be a browser issue?

I don't know of any other alternative for

.setOrigin(google.script.host.origin)

google.script.host.origin is a Google client side API.

https://developers.google.com/apps-script/guides/html/reference/host?hl=en

I don't know if this could be a temporary service error.

It's hard to know what the origin of the error is.

I'd try the picker in different browsers first.

[Faustino Rodriguez]

getting the same error with a similar code

it looks like something might have changed at Google side

[Faustino Rodriguez]

looking at the error console, I found the following

1. the .setOrigin(google.script.host.origin) is converted into https://docs.google.com/ what I believe is correct
2. but then it said: 'ALLOW-FROM https://docs.google.com/' is not a recognized directive. The header will be ignored.
3. so it looks like now, origin is ignored so it throwing the "Invalid origin value" message

no idea what to do if anything, but this code has been working for quite sometime without any issues

in my case it is a published add-on that requires drive.file scope for a particular option ... now that's broken

[Faustino Rodriguez]

Just sharing the information I am gathering in case somebody around can do anything about it (I cannot)

1. Google documentation on how to set the the drive picker is still showing the same way to set the origin - .setOrigin(google.script.host.origin)
2. On the Picker Api Reference says something that might be similar or not ... under PickerBuilder.setOrigin(string) ... Sets the origin of picker dialog. The origin should be set to the window.location.protocol + '//' + window.location.host of the top-most page, if your application is running in an iframe.
3. However on the X-Frame-Options in Mozilla documentation under the option ALLOW-FROM uri it says: This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. ... and so on
4. The point on obsolete ALLOW-FROM directive looks related with the error message we got now: 'ALLOW-FROM https://docs.google.com/' is not a recognized directive. The header will be ignored
   
5. I have found no way so far to catch and log this error, so I have no idea of their extend, but at least is has already affected a few users that have reported it

Good luck for the rest of us.

I guess this is affecting every GAS Picker around, doesn't it?

[Michael O'Shaughnessy]

I ran into this same issue... I am not sure why things I coded in the past no longer work...

I started investigating and here are some things I found:

1. I no longer need to create a project, get a developer key, set the key... blah blah blah.

2. When I got the origin error, I found an old solution that used "https://docs.google.com" in the "setOrigin" of the picker and it worked.

So, I created a new spreadsheet, opened the code editor, scripted up some very simple code and in the picker builder used "docs.google.com" in the setOrigin and wouldn't you know it... it works!  Go back to the code, change origin to "google.script.host.origin" (which is what is shown in the examples from Google) and I get the "origin error".

Here is a sample spreadsheet that you can make a copy and try it out for yourself:

https://docs.google.com/spreadsheets/d/1T71twI67mTeja6GyNL5hXlVGwLv9ZUXNQiKEOe0y1g0/copy 

Open the script editor and in the Picker.html file you will see no "api or developer stuff" used and you can quickly comment out the "setOrigin" to toggle between the two settings.

I did some more work on this wondering if there are problems with the Picker from a web app.  So I quickly copied the code, changed "onOpen" to a "doGet" and deployed as a web app... Gave it a shot and guess what?  I got the "origin" error!!!  Went back to the code and changed setOrigin to "google.script.host.origin", saved it, reloaded my web app and guess what... it works!!

So here is my suggestion:

Change "google.script.host.origin" to "https://docs.google.com"

Also, if someone can "verify" they can use the Picker WITHOUT getting and using a "developer key" and let me know if you are successful or not that would be great!

Also in my research I found this "tidbit of info" from Google about "Sandbox Mode" (in a nutshell it is no longer supported except IFRAME)

https://developers.google.com/apps-script/guides/html/restrictions#sandbox_mode 

Hope this helps!!

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/a0c8c78d-8c42-4632-8735-92a5d1352a28n%40googlegroups.com.

[Alan Wells]

I tried using:

.setOrigin("https://docs.google.com/")

and I STARTED getting the error dialog.

So, for me, it causes the error instead of getting rid of it.

[Faustino Rodriguez]

Thanks !!

I just did the change only on the setOrigin() line as suggested and still get the same Invalid origin value error message

- In my case it is a published Google Sheets add-on that worked fine until yesterday

[Alan Wells]

In case anyone is interested, there is a Stack Overflow post at:

https://stackoverflow.com/q/65632969/2946873

On Thursday, January 7, 2021 at 9:48:55 PM UTC-5 miscellan...@gmail.com wrote:

[Darren D'Mello]

Putting an end, the only way to solve this is to remove the trailing slash after 

From

docs.google.com/ 

To 

docs.google.com

Contrary,

The google.script.host.orgin gives the "https://docs.google.com/" which causes the error. Hence you need to hard code as 

"https://docs.google.com"

Google has made some changes. May be they forgot the trailing slash.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/3f6f8af6-5ce8-4f2b-89fb-d7b56a3a18fdn%40googlegroups.com.

[Faustino Rodriguez]

I should be missing something else

I did the following changes 

// .setOrigin(google.script.host.origin) // 2021-01-08 issue Invalid origin value.

.setOrigin('https://docs.google.com')

- commenting the original setOrigin

- and replacing it with the full URL without the trailing slash

- but still getting the same error

[Alan Wells]

Removing the ending slash doesn't change anything for me.

Interestingly, I get the error in my browsers console, but it doesn't prevent my picker from working.

[Faustino Rodriguez]

I tried the Simple Picker Work spreadsheet script suggested before and it worked as expected, within that scenario (embedded script executed by the owner)

- But changing setOrigin and even removing setDeveloperKey, it didn't work in a published Sheets add-on

However, even though it worked within the Simple Picker Work spreadsheet script, it still shows the same error in the console:

Invalid 'X-Frame-Options' header encountered when loading 'https://docs.google.com/picker?protocol=gadgets&origin=https%3A%2F%2Fdocs.google.com&title&oauth_token=ya29.a0AfH6SMA7ThZH9C53tNLvcsLsun03PY-uR2WBbbN0hgW8SySyY_y3CeN7x2RNQ2RLlEwMhdg8YUwciJyFEyUKEbNDDosH8XaqxfgpaKoRQY6CJKZRCag1NJLgVJTroVktiBXqOCqj_ioelY8uHAzYUquQmQf7rJjivPHY7ZJz-Olu&hostId=n-5unh5xhotx7lgydy4sljfayzjs5jvvjx5nohrjy-0lu-script.googleusercontent.com&relayUrl=https%3A%2F%2Fn-5unh5xhotx7lgydy4sljfayzjs5jvvjx5nohrjy-0lu-script.googleusercontent.com%2Ffavicon.ico&nav=((%22folders%22%2Cnull%2C%7B%22selectFolder%22%3Atrue%7D)%2C(%22documents%22))&rpcService=s8tdbpytyeyv&rpctoken=1ffz0q7vyw18&thirdParty=true#rpctoken=1ffz0q7vyw18': 'ALLOW-FROM https://docs.google.com' is not a recognized directive. The header will be ignored.

[Faustino Rodriguez]

By the way, there are two new (similar) issues in the tracker about this error

https://issuetracker.google.com/issues/177067222

https://issuetracker.google.com/issues/176998956

[Darren D'Mello]

I have starred the issue. Please request to star them whoever is affected.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/2a41c19e-93d0-4e66-bfca-2083ef53421bn%40googlegroups.com.

[Faustino Rodriguez]

I finally fixed this issue just by changing setOrigin to .setOrigin('https://docs.google.com')

- I had an overlapping V8 vs. Rhino issue in one of my implementations that was confusing me while dealing with the setOrigin issue

- funny though, the same error messages are logged in the console, but the Picker works nevertheless

By the way,

- It looks like .setOrigin(google.script.host.origin) still works fine in Rhino

[Alan Wells]

There are 3 issues in the Issue Tracker.

The one that is accepted is:

https://issuetracker.google.com/issues/177046274

@Faustino

Could you make a comment that

.setOrigin(google.script.host.origin) still works fine in Rhino

[Faustino Rodriguez]

@Allan

Done, the comment #12 in the issue tracker

[Сергей К]

It stopped working for me today.
My script is in an iframe, in .setOrigin I have my site address inserted, not google.script.host.origin.

How can you fix the problem.

cb=gapi.loaded_0:210 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://docs.google.com') does not match the recipient window's origin ('https://n-34kj7g4jpb3qo5ugfj5qjt2m5653tlls6wpvdyy-0lu-script.googleusercontent.com').

Refused to frame 'https://docs.google.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://n-34kj7g4jpb3qo5ugfj5qjt2m5653tlls6wpvdyy-0lu-script.googleusercontent.com https://mydomain.name

вторник, 12 января 2021 г. в 19:32:20 UTC+3, Faustino Rodriguez:

[Сергей К]

DECISION

https://developers.google.com/apps-script/guides/dialogs#code.gs_2

code.gs

         function showPicker() {

          var html = HtmlService.createHtmlOutputFromFile('dialog.html')

              .setWidth(600)

              .setHeight(425)

              .setSandboxMode(HtmlService.SandboxMode.IFRAME);

          SpreadsheetApp.getUi().showModalDialog(html, 'Select a file');

    }

.setSandboxMode(HtmlService.SandboxMode.IFRAME); 

//can be removed or replaced with

.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);

  

dialog.html

function getOrigin() {

        var url = "https://mydomain.name/";

        return url.substr(url.length - 1) === "/" ? url.substr(0, url.length - 1) : url;

    }

 

четверг, 11 февраля 2021 г. в 20:19:52 UTC+3, Сергей К:

[Сергей К]

Now it works without any changes in the code.

четверг, 11 февраля 2021 г. в 21:12:15 UTC+3, Сергей К: