Google Ads does not respect Critical-CH restart

[mack-branch]

Hello, I work for an ad tech company and we have found some edge cases where the critical-ch restart does not play nicely with redirects between domains, or "wrapped domains". Unfortunately this is a very important and common use case in the ads world, including Google Ads.

Example Google Ads link: https://www.google.com/aclk?sa=L&ai=DChcSEwi-l7XdtPL9AhUR7u0KHQrmDQkYABAAGgJkZw&sig=AOD64_0hvmE49iyDD2sX3y9g3VMWQztshg&q&adurl&ved=2ahUKEwim3a_dtPL9AhXlRkEAHcuQDKgQ0Qx6BAgHEAE

Steps to repro

1. open a new incognito window
2. open network tab of developer tools
3. paste the above link into search bar
4. observe a 302 redirect to https://mettle.app.link/?%243p=a_google_adwords&%24always_deeplink=false&gclid=EAIaIQobChMIvpe13bTy_QIVEe7tCh0K5g0JEAAYASAAEgI6uPD_BwE&~ad_set_id=84381513814&~campaign_id=8309221182&~channel=g&~keyword=mettle&~placement=&$fallback_url=https://www.mettle.co.uk%3Fgclsrc%3Daw.ds%26&gclid=EAIaIQobChMIvpe13bTy_QIVEe7tCh0K5g0JEAAYASAAEgI6uPD_BwE
5. The above request hits our servers, where we are returning an HTTP OK and a critical-ch header requesting two critical client hints: platform-version and model.

Problem

Expected Result:

• Chrome restarts the request immediately, which should occur from the first request to google.com as per the spec and this old issue browser retries from the beginning of the multiple redirection with critical-ch #123

Actual Result:

• Chrome does not restart the request immediately and instead renders the 200 OK page.
• If you manually refresh the page, Chrome now sends the CH headers and the request redirects normally.

More details

I have not been able to reproduce this with other domains that 302 redirect to each other, it seems specific to Google Ads right now. I can also confirm that only one origin (our server) is requesting a critical hint retry, not multiple.

Please note that since this is a critical issue for us we are urgently working to mitigate this on our end, so this may not be reproducible in the wild after a few days. If this becomes an issue let me know and I can set up a test domain where we can reproduce this issue live.

I have also attached a bunch of screenshots from when I reproduced this issue. It is happening consistently (100% of the time) if the browser doesnt already have the critical hints cached (i.e. new incognito window or clear cache).

Thanks!

[yoavweiss]

This sounds like a Chromium issue, rather than a spec issue.
^^ @arichiv

[arichiv]

I'm writing a WPT for this case to verify

[arichiv]

Haven't gotten to a working reproduction but will try again tomorrow here: https://chromium-review.googlesource.com/c/chromium/src/+/4377410

[arichiv]

I was able to reproduce spec-respecting behavior (critical-ch being respected at the end (and/or in the middle) of a redirect chain as long as the chain is cross-origin) in https://chromium-review.googlesource.com/c/chromium/src/+/4377410

I cannot reproduce the issue highlighted in this task and when I try to load the site above it now works. Not sure if something changed on the backend or there was something else going on.

[mack-branch]

Hey @arichiv thanks for looking into this. This was a critical issue for us so we shipped a temporary workaround to our backend in order to preserve user experience. The workaround is to return a 307 redirect to the same link URL along with the critical-ch header, so when Chrome declines to restart and renders the response it will send another request to the same URL. We have seen that in this case, Chrome caches the CH values even though it declines the response, so they are sent when it follows the redirect. However, I'm concerned this is not a long term solution and may lead to infinite redirection, as there is no guarantee that Chrome will send the CH headers when following the 307 redirect...

Its worth mentioning that we have not seen this issue for other cross-origin redirect chains, only for Google Ads (i.e. example1->example2.com works fine but google.com->example2.com does not).

If we need to repro this live, I think we can put a link to a test server in any google ad and click it. Let me know if I can help here.

Is is possible to approach this from an Ads-specific perspective? Is it possible to raise this issue to the Google Ads team? Is it possible there is specific handling for google ads clicks in the CH code, or specific handling of CH on Google Ads clicks?

[arichiv]

@zhengweiwithoutthei could you take a look? It might be some sort of CORS issue.

[cameroncooks-branch]

@arichiv
@zhengweiwithoutthei

It looks like this issue has been abandoned, can we pick this up again? The issue still exists