Recently, a rash of users have received this error when trying to view more than the first page of a PDF in our corporate Gmail:
This problem started to appear toward the end of July 2019, and by mid-August it was company-wide. This timeline corresponds with the release of Chrome v76. Chome v76 introduces a change to Cross-Origin Requests, and while this change introduced some trouble for a number of Chrome Extensions, it can also negatively impact corporate G Suite environments who utilize certain restrictions in the Google Admin Console.
How to Fix this Error
First, verify that this is, indeed, the problem.
- Open an email in Gmail with a multi-page PDF attachment, but do not click the attachment yet
- Press CTRL+Shift+I to open the Developer console, and click to the Network tab
- Click the PDF attachment and look at the results in the Network tab
- One of the Red items that appear on the list should contain:
Access to XMLHttpRequest at 'https://drive.google.com/viewerng/upload?ds=docstring' from origin 'https://mail.google.com/ has been blocked by CORS policy: Request header field x-googapps-allowed-domains is not allowed by Access-Control-Allow-Headers in preflight response.
If you see the above, then this solution will work for you. To explain, settings exist in the G Suite Admin Console which can restrict the ability of a Chrome user, with Sync turned on, from logging into secondary accounts outside of an allowed set of domains. The requests to the Google Drive PDF viewer from Gmail come across as generic and not specific to your domain, and thus Chrome refuses to render the document. To solve the problem, this restriction in the Admin Console will need to be disabled by an administrator in your G Suite organization.
- Open the Admin Console
- Navigate to Devices – Chrome management – User and browser settings
- Find Sign-in to secondary accounts and set it to Allow users to sign-in to any secondary Google Accounts
Your organization more than likely utilizes a web filter, DLP platform, or firewall to restrict sign-in settings anyway, so this setting will do no harm.