Videos on facebook unable to play due to CORS policy in Chrome

[wolph]

Solution

Disable the "Spoof Referer header" flag:

Prerequisites

The only somewhat related issue I could find in the old tracker is 3 years old so that's probably unrelated: gorhill/uMatrix#369
I have the issue both on Windows and OS X in Chrome 66.0.3359.181 with a fresh browser profile.

Description

When uMatrix is enabled (even when all rules are disabled) all facebook videos stop playing for me.

A specific URL where the issue occurs

https://www.facebook.com/nos/videos/2241787655836780/

Steps to Reproduce

1. Open https://www.facebook.com/nos/videos/2241787655836780/
2. Try to play video

Supporting evidence

script.js:9626 vid play initiated
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=0&byteend=950: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=0&byteend=950' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=0&byteend=950' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=951&byteend=1150: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=951&byteend=1150' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=951&byteend=1150' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=1151&byteend=219322: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=1151&byteend=219322' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35066562_260202958055046_950958961094295552_n.mp4?_nc_cat=1&...%3D&...&oe=5B1F1408&bytestart=1151&byteend=219322' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=0&byteend=873: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=0&byteend=873' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=0&byteend=873' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=874&byteend=1073: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=874&byteend=1073' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=874&byteend=1073' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.
(index):1 Failed to load https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=1074&byteend=13529: Redirect from 'https://video-ams3-1.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=1074&byteend=13529' to 'https://video.xx.fbcdn.net/v/t42.1790-2/35163974_229853394268893_5263081919842615296_n.mp4?_nc_cat=1&...%3D%3D&...&oe=5B1F2678&bytestart=1074&byteend=13529' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.facebook.com' is therefore not allowed access.

The only thing that works is disabling umatrix completely

Your environment

• uMatrix version: uMatrix 1.3.8 and uMatrix 1.3.10
• Browser Name and version: Google Chrome 66.0.3359.181
• Operating System and version: OS X 10.11.6 and Windows 10

[Remu-rin]

On the screen you have two switches enabled, one of them is obviously referer spoofing. Disable it and video on the link will work.
This is described in the wiki, which you didn't read. About "the page is still broken after I created all necessary rules"

Did you verify that one or more per-scope switches are also interfering?
Keep in mind that the per-scope switches are independent of the matrix filtering switch, so stuff can still be blocked/modified when per-scope switches are enabled.

[wolph]

That screenshot is from my own profile, but I've tried using a brand new profile as well (as I described) with all settings left to default except for whitelisting everything on facebook.

I actually did search through the wiki as well. I searched through both this and the other repository for CORS to see if there have been similar issues and I found no useful info. Nowhere does it mention that the CORS policies are affected by the "Spoof Referer header" setting which is enabled by default...

I followed all of the lengthy steps of the issue creation process... perhaps an extra step needs to be added ;)

[uBlock-user]

Disable Spoof Referrer Header for facebook.com and save it. Refresh the page to be able to play the video.

[uBlock-user]

Added a notice for the individual switches which can cause website breakage - https://github.com/gorhill/uMatrix/wiki/Per-scope-switches

[xznhj8129]

Videos not working even with both switches disabled

[gwarser]

@snow-frog any evidence?

[wolph]

It might take a forced reload, it didn't work for me either initially which is why I didn't assume this to be the issue.

[xznhj8129]

Forced reloads, browser restart, everything. gwarser is my word not enough for you? I can confirm that disabling umatrix solves the problem and that both spoof switches are OFF.

[uBlock-user]

Something else is interfering then on your end, another extension probably. Facebook videos play as long as I disable referrer spoofing on facebook.

is my word not enough for you?

It's not about word, if it's an issue, providing more than word i. e. steps to reproduce, helps to be able to reproduce, to verify.

[gwarser]

gwarser is my word not enough for you

Sorry, perhaps "evidence" is not correct in this context. We just need more data.

[gorhill]

is my word not enough for you?

We just need more words with useful information from you. What does the logger say when you hard force reload the page which contains the video?

[xznhj8129]

Alright, no worries, sorry. Logger says a whole lot of things but nothing recognizable in particular

19:16:22			xhr	https://www.facebook.com/ajax/bz
19:16:12			xhr	https://5-edge-chat.facebook.com/pull?channel=p_100026803488778&seq=11&partition=-2&clientid=4f089a66&cb=1j2a&idle=51&qp=y&cap=8&pws=fresh&isq=460&msgs_recv=11&uid=100026803488778&viewer_uid=100026803488778&sticky_token=358&sticky_pool=atn1c09_chat-proxy&state=active&mode=stream&format=json
19:16:08			cookie	https://facebook.com/{session-cookie:presence}
19:16:05			image	https://static.xx.fbcdn.net/rsrc.php/v3/yF/r/MzwrKZOhtIS.png
19:16:04			cookie	https://github.com/{session-cookie:_gh_sess}
19:16:02			xhr	https://github.com/hovercards?user_id=21290713&subject=issue:331359030
19:15:54			cookie	https://facebook.com/{session-cookie:presence}
19:15:48			cookie	http://google.com/{persistent-cookie:SIDCC}
19:15:47			xhr	https://0.docs.google.com/spreadsheets/d/1bTlaN8aWwZ5NJ0vzFUufmaNFd3n5PXg1mLM8haCg6ks/bind?id=1bTlaN8aWwZ5NJ0vzFUufmaNFd3n5PXg1mLM8haCg6ks&sid=6ccd045325f72b5b&token=AC4w5VjMJ6y09Ref1yXJdORC8kmkpmPadQ%3A1532796722805&includes_info_params=true&VER=8&lsq=1532796722392&u=15110516720646839776&c=1&w=1&gsi=0&ssfi=23022&smv=45&cimpl=1&RID=rpc&SID=64598923451F110A&CI=0&AID=1244&TYPE=xmlhttp&zx=3i9id6f7qbu1&t=1
19:15:47			xhr	https://0.docs.google.com/spreadsheets/d/1bTlaN8aWwZ5NJ0vzFUufmaNFd3n5PXg1mLM8haCg6ks/bind?id=1bTlaN8aWwZ5NJ0vzFUufmaNFd3n5PXg1mLM8haCg6ks&sid=6ccd045325f72b5b&token=AC4w5VjMJ6y09Ref1yXJdORC8kmkpmPadQ%3A1532796722805&includes_info_params=true&VER=8&lsq=1532796722392&u=15110516720646839776&c=1&w=1&gsi=0&ssfi=23022&smv=45&cimpl=1&RID=rpc&SID=64598923451F110A&CI=0&AID=1244&TYPE=xmlhttp&zx=3i9id6f7qbu1&t=1
19:15:22			xhr	https://5-edge-chat.facebook.com/pull?channel=p_100026803488778&seq=6&partition=-2&clientid=4f089a66&cb=dmsa&idle=1&qp=y&cap=8&pws=fresh&isq=460&msgs_recv=6&uid=100026803488778&viewer_uid=100026803488778&sticky_token=358&sticky_pool=atn1c09_chat-proxy&state=active&mode=stream&format=json
19:15:22			cookie	https://facebook.com/{persistent-cookie:pnl_data2}
19:15:22			cookie	https://facebook.com/{session-cookie:act}
19:15:21			image	https://scontent-yyz1-1.xx.fbcdn.net/v/t15.0-10/s350x350/21055597_255801254926866_4298366633765765120_n.jpg?_nc_cat=0&oh=a76cb91d99e36ac1ccb1f690fa54d77c&oe=5C0A1ECC

19:15:21			image	https://static.xx.fbcdn.net/rsrc.php/v3/y-/r/D_zOx79WBMU.png
19:15:21			image	https://static.xx.fbcdn.net/rsrc.php/v3/yD/r/C7haXO7N3jB.png
19:15:21			image	https://static.xx.fbcdn.net/rsrc.php/v3/yQ/r/xsAfzG-Yhr3.png
19:15:21			xhr	https://5-edge-chat.facebook.com/sub?cb=ar3l&sticky_token=358&uid=100026803488778&viewer_uid=100026803488778&sticky_pool=atn1c09_chat-proxy&profile=desktop&clientid=4f089a66&cap=8
19:15:21			xhr	https://video-yyz1-1.xx.fbcdn.net/v/t42.1790-2/37840101_2033685039989054_5120041573102387200_n.mp4?_nc_cat=0&efg=eyJ2ZW5jb2RlX3RhZyI6ImRhc2hfdjRfaHExX2ZyYWdfMl9hdWRpbyJ9&oh=7be42ecf10b9a98a465f094675be3d89&oe=5B5D2706&bytestart=881&byteend=1008
19:15:21			xhr	https://video-yyz1-1.xx.fbcdn.net/v/t42.1790-2/37891273_280574282706798_7456235544238882816_n.mp4?_nc_cat=0&efg=eyJ2ZW5jb2RlX3RhZyI6ImRhc2hfdjRfaHExX2ZyYWdfMl92aWRlbyJ9&oh=12fcbc0ba9199ca3ae221f935032e585&oe=5B5D1FC9&bytestart=962&byteend=1077
19:15:20			xhr	https://www.facebook.com/ajax/bz
19:15:20			xhr	https://www.facebook.com/video/tahoe/upnext/async/211139876216840/?viewed_videos[0]=211139876216840&caller=tahoe&cursor=110060719672553%3A0%3A1%3AMTUzMjgxOTY2NzoxNTMyODE5NjY3OjI0Oi03MjU0MDY0NDU0NjgwOTgxNDU0OjA6NjU4MzQxMDM0MTE4NTk4NzU3OQ%3D%3D&dpr=1
19:15:20			xhr	https://www.facebook.com/video/tahoe/async/211139876216840/?originalmediaid=211139876216840&playerorigin=permalink&playersuborigin=tahoe&ispermalink=true&numcopyrightmatchedvideoplayedconsecutively=0&payloadtype=all&dpr=1
19:15:20			xhr	https://www.facebook.com/ajax/imm/?dpr=1
19:15:20		cookie deleted: https://facebook.com/{persistent-cookie:pnl_data2}
19:15:19			script	https://www.facebook.com/xti.php?xt=AZWKFpXLVCK5XlMofmUDG0BcPOGnUAmMEBDi3ShD-VmHHg0VUZz8d5--pA2-aYnEewbNZb5hY4RxQ8lE6F_DMmhz8GyRKSIb7O-HQpIbM55_grVfKF9F4HXKWluJDatXdnLN5icDQTZji_WxH4A9lhhjbHc_pFCbuYbH_0YwTzr1Wfi5oCkCtyh1J-RSzELJ3a2s2GGraPLwa2ht-mtw2pFlbsI9Euokt_jGv6y8mYx3FJepB6NXsomEspGNd4efy7goeiJbKUrF4DjRYlG8g3Kppo6x9gME4YS2HQk18-xtYMf7NAl7yHvOC7P8izEQkxEQr-FRheRAMVWvhr35mtNNP0vRIhxBxmnt_fcV22fdCrtCz1K7PvtfRDRBEGbN9W2m8aUfP8FjFZ1Octj3i_0p5YgxHX_kCRXv53Fiv7hfQihdQV4QHQKg3PIJ7jDLr3FPUyK0klL5aZWq4RdQNxRFFPtQFSR05ucODKoJfYD7rw77NbAF1N3yV3r4ve3L9TDbRYjavjYkQgqxbdkmAFCu6gfScnEchtNaXUGUz6GAR6wwvHDZi_POE0r2v-R1JKJpWsTTG632snn-rFgvpBMg_PylREb-dfoeG9Bh4eT9hB79LFJrmJ6cXLSNZ6X88yv9hSxlEfud4NfWz9P8Hq_JeY_MOO_0ZxXY_XEbFDITy80B61g4zGliP588BWrBip5Qw1DSosUzMCeo0fKIdnZUdYyXD7qmgjW_sZnkEHkSIFPrZWbACE0GI2ofOCg0MoMTDpUSSXE3TTbMCR2vmYm8&isv=1&cts=1532819719&csp&hba=false&etid=1532819719723_2000649846{inline_script}
19:15:19			cookie	https://www.facebook.com/{localStorage}
19:15:19			frame	https://www.facebook.com/xti.php?xt=AZWKFpXLVCK5XlMofmUDG0BcPOGnUAmMEBDi3ShD-VmHHg0VUZz8d5--pA2-aYnEewbNZb5hY4RxQ8lE6F_DMmhz8GyRKSIb7O-HQpIbM55_grVfKF9F4HXKWluJDatXdnLN5icDQTZji_WxH4A9lhhjbHc_pFCbuYbH_0YwTzr1Wfi5oCkCtyh1J-RSzELJ3a2s2GGraPLw

[xznhj8129]

Can confirm that it's not privacybadger, decentraleyes, HTTPEverywhere, Adnausam or noscript causing the problem; only uMatrix.
I have to add that i did have this problem a few days ago but it was fixed by setting spoofing switches to off; however now the problem is back.

[uBlock-user]

Where does it happen specifically ? link to facebook video ?

[xznhj8129]

Any video. When they would usually play automatically, they don't; and clicking on them brings you to their main "player" page, again it does not autoplay, and clicking on the video to play it does something like reload the frame whitout playing.

[uBlock-user]

Disable all your extensions except uMatrix and try again. If that doesn't help, reset your uMatrix's settings to default and then add referrer-spoof: facebook.com false to My Rules.

Without a specific video URL, I can only guess and suggest, you will have to investigate on your own to see what's causing this.

[gorhill]

Any video.

Provide the information when asked please. I am not a Facebook user and by not providing an actual link you are telling me to spend time to go find one myself, something you should be providing to save time for all. Beside, this is basic debugging step: try to reproduce exactly the issue you are having, and an exact URL is a key step so that we test the same thing.

[gwarser]

@snow-frog this one from OP is working? https://www.facebook.com/nos/videos/2241787655836780/

[gorhill]

I couldn't reproduce and I still can't reproduce using above link after unblocking what was needed -- that video plays just fine. Also using Decentraleyes.

@snow-frog didn't provide any information about browser, version numbers, what exactly are his symptoms, or how exactly did he ascertained that the issue does not lie with any of the other blockers (it's easy to come to the wrong conclusion when not ruling out methodically), etc. Given how things are going here, I am quite convinced his issue is elsewhere than with uMatrix.

[xznhj8129]

Sorry, i just assumed you were a facebook user.
No, that video does not work.
Firefox is Quantum, 61.0.1 (64-bit). The exact symptoms is that the videos do not play just as if the switches were on. I have methodically disabled every other addon one by one to single out any other culprit, and the problem only manifests when uMatrix is active. 'referrer-spoof: facebook.com false' is already in the rules.

[wolph]

@snow-frog it's pretty likely that you have the same issue I had.

For clarification the "Spoof Referer header" flag needs to be disabled:

[xznhj8129]

Issue identified
Again, both switches were OFF. The issue was in rules.
referrer-spoof: facebook.com false Was what was affected by the switches
referrer-spoof: www.facebook.com true Was what was causing the video issues, flipping the switches had no effect. Setting that rule to "false" fixed it, but searching in the rules for it was the only way.

[wolph]

So the flag was specifically enabled for the www.facebook.com scope (press the www in the above screenshot to see the current rules for the current subdomain)

[uBlock-user]

referrer-spoof: www.facebook.com true

Remove that and commit that change.

[xznhj8129]

Oh my god, the scopes. I never knew that was there at all.

[uBlock-user]

I suggest you read over the Per-Scope switches and Scope Selector before messing with switches again.