My Google Auth flow in popup window works for most of the google users who have completed their profiles and have added recovery options. For some of the users who haven't completed their google profile, the following Suggestions screen come up:
Profile Suggestion Please notice the url in the popup window is now https://gds.google.com (and earlier it was accounts.google.com). Upon clicking on "Not Now", Not Now
The auth flow breaks and Blank Screen appears. Please notice that we're being redirected from gds.google.com to accounts.google.com
The error trace in the browser's console is Cannot read property ‘postMessage’ of undefined
I feel the popup lost it's reference to my website's window in that redirection from accounts.google.com to gds.google.com
My webapp has the header Cross-Origin-Opener-Policy: same-origin-allow-popups set.
Browser(s)/Version(s) All browsers
Expected Behavior After clicking on "Not Now" in the Suggestions should continue to authenticate and call the callback registered in the initialize statement. window.google.accounts.id.initialize({callback})
Actual Behavior After clicking on "Not Now" in the Suggestions screen, popup goes blank and browser gives the following error in console Cannot read property ‘postMessage’ of undefined
The cross-origin redirection disrupts the communication between the popup window and your web app's main window due to the
Cross-Origin-Opener-Policy: same-origin-allow-popupsheader. This policy restricts communication between windows from different origins (except for popups from the same origin as the opener).If you relax the policy to
same-originor removing it altogether, it would allow communication between the popup window (potentially fromgds.google.com) and your main window (on your website's domain) even after the redirect. But, it will weaken the security by allowing popups from any origin to potentially interact with your main window.Since your Google Auth flow in popup window works for most of the google users who have completed their profiles, you might want to consider modifying your registration process to encourage users to complete their profiles before allowing Google Auth. This would potentially reduce the number of users encountering the Suggestions screen and the subsequent redirect issue.