Login/Register
Cross-Origin-Opener-Policy policy would block the window.closed call error while using google auth
Asked Answered
firebasenext.jsoauth-2.0firebase-authenticationcors
B

7

70

I am using firebase and its google auth tool , everything works fine the user data is getting saved in the database but i get a error every time the popup window appears (Cross-Origin-Opener-Policy policy would block the window.closed call)

enter image description here enter image description here

i am using next js and do help me resolve the error thank you

Briefcase answered 10/6, 2023 at 15:20 Comment(4)
can you share the code link or create a reusable codebase? it might be because of a configuration issue, package versions, or even Chrome version. I never had such an issue with FirebaseMalang
Same error here, I was trying to access from localhost because thats what has always worked, but was getting the CORS error. I then switched from localhost to the localhost IP (which I needed to add to firebase authorized domains), and it worked, and now it works for both localhost and the localhost ip. Strange.Wheatworm
Did you manage to figure this out? Have the same issue, although using Angular.Hardandfast
Ugh, same. Are all +20 of us doing something wrong or is there something buggy with Firebase? I'm using SvelteKit.Snap
S
8

This error appears in the firebaseui npm package.

The first important thing to understand is that sign-in problem might not be related to the displayed console error: Cross-Origin-Opener-Policy policy would block the window.close call.

signInFlow="redirect"

The easiest way to check that your code is working without the error is to switch temporarily from signInFlow="popup" to signInFlow="redirect", which is the default value in Firebase UI Auth.

If Auth does not work

Check the code on:

  • Missed JS Context, for example, <AuthProvider/> in React.

  • Subscribe to firebase/auth events and check that the user object is returned (React example):

    import { getAuth, onAuthStateChanged } from 'firebase/auth';


const StyledFirebaseAuth = () => {   
  useEffect(() => {

  const unregisterAuthObserver = onAuthStateChanged(
   getAuth(),
   async (user) => {
     console.log('user', user);
   },
 );

// the rest of code
}

  • Check Firebase Sign-in method settings to allow specific providers Firebase Sign-in method

  • Check Firebase Authentication allowed domains Firebase Authentication allowed domains

  • Check your Firebase configuration for the web application:

     const firebaseConfig = {
   apiKey: "ABCDEF...",
   authDomain: "your-project-domain",
   projectId: "you-project",
   appId: "1:abcdef..."
 };

Trying get rid of the console error

Chrome blog suggests to use Cross-Origin-Opener-Policy: restrict-properties with Cross-Origin-Embedder-Policy: require-corp. Sadly, it will not work with Firebase UI.

The problem is with Cross-Origin-Embedder-Policy header, which is by default should be set to unsafe-none.

This header should be returned with the html page or omitted (the implicit default value). It is possible to set it up manually.

response headers

Please notice that to correctly test it, a server should be restarted and browser cache cleared or a new incognito window used.

Local development:

Below are React examples but similarly should work other frameworks.

  • For create-react-app and craco modify craco.config.js as: 
     module.exports = {
   devServer: {
     headers: {
       'Cross-Origin-Embedder-Policy': 'unsafe-none'
     }
   }
 }
  • For Next.js modify next.config.js: 
     module.exports = {
   async headers() {
     return [
       {
         source: "/login",
         headers: [
           {
             key: "Cross-Origin-Embedder-Policy",
             value: "unsafe-none",
           },
         ],
       },
     ];
   },
 };

Firebase hosting

Firebase allows to specify headers that are passed for the hosted files, including .html, .js. Modify firebase.json file, for example, for a Single Page Application (SPA):

{
  "hosting": [
    {
      "target": "web",
      "public": "web/build",
      "ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
      "rewrites": [
        {
          "source": "**",
          "destination": "/index.html"
        }
      ],
      "headers": [
        {
          "source": "**/*",
          "headers": [
            {
              "key": "Cross-Origin-Embedder-Policy",
              "value": "unsafe-none"
            }
          ]
        }
      ]
    }
  ]
}

Although after my attempts to change Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy and Cross-Origin-Embedder-Policy to different values still the error log appears in the Chrome browser but the sign-in method is working.

For more strict security settings and the unsafe-none value please refer to the documentation.

Stearn answered 15/10, 2023 at 17:58 Comment(3)
@Arthur A Can you please tell me how should I add unsafe-none for npm create vite@latest my-project -- --template react?Singe
@ThakurSaad you can use defineConfig for vite, similar to github.com/vitejs/vite/issues/11862Stearn
I've done this export default defineConfig({plugins: [react()], server: { headers: {"Cross-Origin-Embedder-Policy": "unsafe-none",},},}); But still getting the console error.Singe
S
6

This header helps you to stay away from malicious websites. It allows you to control how you open your tabs or windows from your website and restrict interactions with other sources.

please refer to this Google auth setup article regarding the cross-origin opener policy

https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid#cross_origin_opener_policy

It recommends using same-origin-allow-popups header instead of same origin for Cross-Origin-Opener-Policy on pages where you use google sign in button.

Scandura answered 7/7, 2023 at 4:42 Comment(1)
It didn't work for me. So far I haven't been able to solve this issue.Underclothes
I
1

Check your SCOPES for the API.

Ran into this issue authorizing the Google Calendar API. For some reason it was working with my dev account but any other account would throw the "cross origin opener policy policy would block the window" error.
Turns out I accidentally had "const SCOPES = 'https://www.googleapis.com/auth/calendar.readonly'. All I had to do was update the SCOPES to "https://www.googleapis.com/auth/calendar" and everything worked.

https://developers.google.com/calendar/caldav/v2/auth

Intramuscular answered 28/6, 2023 at 15:23 Comment(0)
S
0

Please check your firebaseConfig, you can find it in Project Settings/ General on your Firebase, if you have made some changes to the project name or so, it might have conflicts between your firebaseConfig and the updated one on Firebase

Sulphathiazole answered 15/7, 2023 at 18:19 Comment(0)
G
0

I had the same issue, and I changed the method from "signInWithPopup" to "signInWithRedirect". But with this method, you need to handle this redirect with "useEffect" hook. I would paste my code here just for the reference.

import { getRedirectResult, signInWithRedirect } from 'firebase/auth';
import { useEffect, useState } from 'react';
import { auth, provider } from '../../services/auth';

const Login = () => {
    const [isLoading, setIsLoading] = useState(false);

    useEffect(() => {
        setIsLoading(true)
        getRedirectResult(auth).then(response => {
            if (!response) return

            // Your code here
        }).catch(error => {
            console.error(error);
        }).finally(() => setIsLoading(false))
    }, []);


    const onClick = async () =>
        signInWithRedirect(auth, provider).catch(error => {
            console.error(error);
        })

    return <button onClick={onClick} disabled={isLoading}> {isLoading ? "Loading. Please wait!" : "Sign In With Google"} </button>
}

export default Login;
Grandmamma answered 21/12, 2023 at 10:36 Comment(1)
The issue changing to redirect is that Safari doesn't allow third party cookies which are required so the user won't be able to login. They can change a setting in Safari but that's rarely an acceptable workaroundSpokeshave
C
-2

If you look in the console you should see an error saying that the domain doesn't have permission to do google sign in. What you need to do is go to the firebase console -> authentication -> settings and click on "authorized domains" and add your domain

Cosmism answered 14/6, 2023 at 5:24 Comment(3)
No errors like that were found, I even tried too add localhost there in firebase and even hosted and added the domain there but the same error pops upBriefcase
Hi, Comder. Welcome to SO. Rather than down-vote your answer, I want to just let you know two things. 1. While you have suggested something that causes certain firebase auth errors... this is not that error. (I've seen that one. This isn't it.) 2. You can delete answers you realize aren't very good, so you don't get too many down-votes. Have a look at: meta.#263546Bobine
Ah, this actually was the solution for me. But it's not because I was trying to solve this error itself. The pop up was working on localhost (with the error) but when I could not get it to work on the prod env, this error was all I could go off of. This answer was the reminder I needed to adjust my firebase auth settings, thanks!Ilion
P
-3

Switching from Chrome to Firefox, worked for me. Maybe, It is an issue with Chrome.

Parulis answered 26/6, 2023 at 13:38 Comment(3)
Hi, Martin. Welcome to SO. Rather than down-vote your answer, I want to just let you know two things. 1. Your answer is very pleasant, like something one friend might say to another. But it's neither fact-based nor methodical, so not a good answer on SO. 2. You can delete answers you realize aren't very good. Have a look at: meta.#263546Bobine
It could very well be a chrome issue/firebase bug. I notice this error is still shown in the console, even when the pop up works in production.Ilion
Well, as far as I can see he is right. This happens on Google Chrome but not on Firefox.Underclothes

© 2022 - 2024 — McMap. All rights reserved.