Google+ API "400 (Bad Request)" and "Refused to display ... in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'." errors

I am trying to integrate the G+ API with my website and am having a problem. If you look at the console when loading the page, you will see the following errors:

GET https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.pricewombat.com 400 (Bad Request) cb=gapi.loaded_0:436

Refused to display 'https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.pricewombat.com#rpctoken=356505585&forcesecure=1' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I'm just using the example code given on Google's website:

<script type="text/javascript">
    (function() {
        var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
        po.src = 'https://apis.google.com/js/client:plusone.js?onload=googlePlusOnloadCallback';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
    })();
</script>

If I run gapi.auth.signIn() in the console, nothing happens. I'm assuming the problem is related to the above errors when the page loads.

What's causing this problem and how do I fix it?

UPDATE:

I created a blank page on my website with this barebones code:

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
</head>
<body>

<script type="text/javascript">
    (function() {
        var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
        po.src = 'http://apis.google.com/js/client:plusone.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
    })();
</script>
</body>
</html>

I tried loading the above page with and without the authentication meta tags (not shown above) and am still getting the errors.

It seems like this has to be a problem on Google's end since I'm just using the most basic barebones example code and it's not working.

Answers


Well, apparently Google+ just had a brainfart or something, because the solution was simply to clear my cookies!

I tried using my website on another computer and the Google+ API worked fine (no errors), so I tried clearing the cookies on my desktop and lo and behold, it started working!


What I found out was that if the client has opened up the chrome for very long time, they would get this error. Once they close the chrome and reopen, they don't have any trouble with the issue. My solution was to download the script from the server, uploaded it to our server and made it as a backup download.


Need Your Help

XSS attack prevention

java javascript security xss

I'm developing a web app where users can response to blog entries. This is a security problem because they can send dangerous data that will be rendered to other users (and executed by javascript)....