Address common problems with trial tokens in meta tags, headers, and scripts.
This guide assumes a working knowledge of origin trials in Chrome. For a detailed FAQ, refer to the Origin trials guide for web developers.
If you encounter a bug with origin trials in Chrome, submit a new issue on the Chrome origin trials GitHub repository.
ChecklistTo troubleshoot an origin trial, work through each of the issues using the supplied links.
DevTools provides origin trial information in the Application panel, for the selected frame.
Expand the top frame to inspect origin trial tokens available for a subframe. For example, for the demo page at ot-iframe.glitch.me, you can see that the page in the iframe provides a token.
Chrome DevTools displays a warning next to the trial name if the trial is: unavailable for the current user, the token has expired, or if there are other restrictions.
Key Point: If a page provides an origin trial dynamically with a script, it may be initially hidden in the Application panel. You may need to reload Chrome DevTools, which doesn't require reloading the page. For examples of pages that include an origin trial token, see the demos. Status codesYou may encounter the following status codes in Chrome DevTools.
Expired: Token has passed its expiration date. To re-enable the origin trial, the token must be renewed. Generate a new token with a new expiration date. Source code
FeatureDisabled: Trial is disabled for use. Source code
FeatureDisabledForUser: This token has been designated as disabled for the current user with an alternative usage restriction. See the "User Subset Exclusions" section of the design doc. Source code 1 and Source code 2
Insecure: The request origin is insecure, and the trial is not enabled for insecure origins. As explained in the origin trial token validator code: 'For third-party tokens, both the current origin and the script origin must be secure. Due to subdomain matching, the token origin might not be an exact match for one of the provided script origins, and the result doesn't indicate which specific origin was matched. This means it's not a direct lookup to find the appropriate script origin. To avoid re-doing all the origin comparisons, there are shortcuts that depend on how many script origins were provided. There must be at least one, or the third party token would not be validated successfully.' Source code
InvalidSignature: The token has an invalid or malformed signature. Source code
Malformed: Token is malformed and could not be parsed. Source code
InvalidSignature or Malformed errors, the token may conform to a valid format but not be recognized by the current browser or browser version. It's possible that the token is usable by a different browser.
NotSupported: The origin trial defined by the token is not supported in the Chromium embedder. An embedder can be a browser (such as Chrome or Edge), a WebView, or some other user agent. Source code
Success: The token is well-formed, has not expired, matches an origin trial feature, and is requested from an expected origin. Source code
TokenDisabled: Token has been marked as disabled and cannot be used. Source code
TrialNotAllowed: The origin trial is unavailable for the current user. Source code
UnknownTrial: The token specifies a feature name that does not match any known trial. Source code
WrongOrigin: The request origin does not match the origin specified in the token. This can include the scheme, hostname, or port. This status is also be displayed if a third-party token is provided in an HTTP header, meta tag, or inline script, rather than from an external JavaScript file. Source code
WrongVersion: You're using the wrong token version. Only token version 2 and 3 are supported. Source code
If your origin trial isn't working as expected, make sure you've met the following conditions.
You're testing in Chrome, not Chromium or another browserChrome origin trials are designed to work for Chrome users. Chrome origin trial tokens won't enable features in other browsers, including Chromium and Chromium-based browsers. This is because Chrome origin trials are specific to features made available in Chrome for experimentation.
Caution: Some origin trials are only available in certain Chrome channels. Some origin trials are limited to desktop, Android, and WebView, and may be unavailable to certain platforms or operating systems. In particular, Chrome on iOS and iPadOS aren't supported, as they're built on WKWebView. All browsers on iOS and iPadOS must use WebKit, the same engine used by Safari.Origin trials are also available for Firefox and Microsoft Edge. Enrollment in a Firefox or Edge origin trial won't enable a feature in Chrome.
The origin trial is enabled for the Chrome versions accessing your siteAccess to origin trials is limited to specific versions of Chrome. This may mean a trial feature is only available to pre-Stable Chrome channels: Canary, Dev and Beta.
You can check version availability from the registration page for the trial:
You can check the Chrome version you're using from chrome://version.
The origin trial is not disabled by Chrome settingsIf an individual user reports that a feature doesn't work for them, check that the feature is not disabled in their Chrome settings. For example, certain Privacy Sandbox features can be disabled from the chrome://settings/adPrivacy page.
Make sure to use appropriate keywords and syntax for origin trial tokens.
Caution: These examples truncate the token value. Make sure to check the whole token, or at least the start and end of it! It's easy to accidentally leave out a character. A complete token looks like this:txt Bj3DysCv1VjknU4jJvkDEwnQZK/vmse1rcd5jZogunrkwtKW92 vmygya6gyKe5GveTObBy3NT5DiC8yiiXnXGwMAAABZeyJvcmlnaW9i7 iJodHXwczovL3NpbXBsLmluZm86NDQzIiwiZmVhdHVyZSI6Ik5BIiwi ZXhwaXH5IjoxNjMxNjYzOTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
For first-party usage, a token can be provided in an origin-trial meta tag:
<meta http-equiv="origin-trial" content="Aj4DysCv3VjknU3...">
Alternatively, a token can be provided in an Origin-Trial response header. Here's an example using Express in Node.js:
app.use(function(req, res, next) {
res.setHeader('Origin-Trial', 'Aj4DysCv3VjknU3...')
next();
});
Tokens can also be provided with JavaScript:
function addTrialToken(tokenContents) {
const tokenElement = document.createElement('meta');
tokenElement.httpEquiv = 'origin-trial';
tokenElement.content = tokenContents;
document.head.appendChild(tokenElement);
}
origin-trial meta tag, an Origin-Trial response header, or with JavaScript. Third-party tokens must be provided with JavaScript. First-party token origin matches page origin
Make sure the Web Origin value selected when you register for a trial matches the origin of the page that has the meta tag or header which provides the token.
For example, if you selected https://example.com as the Web Origin:
You might get a token value like this:
Check that this value matches the token used on the page you're troubleshooting.
For a token provided in a meta tag, check the HTML:
<meta http-equiv="origin-trial" content="Aj4DysCv3VjknU3...">
For a token provided in a header, you can check the token value from the Chrome DevTools Network panel under Response Headers:
First-party token is served from the origin that uses itTo enable access to an origin trial feature for code included in a page served from your origin, provide a trial token in a meta tag, header, or with JavaScript from the same origin.
The origin registered for a token must match the origin that serves it.
Note: The Third-party matching option is only provided for origin trials where it makes sense to try out a feature in a third-party context. Not every origin trial offers third-party tokens. Third-party token origin matches script originYou can register to participate in an origin trial for scripts that are injected on other origins.
For example, if you want scripts that are served from javascript-library.example to take part in an origin trial, you need to register a token with third-party matching for javascript-library.example.
The origin value for a third-party token must match the origin of the script that injects it.
Third-party script uses a third-party tokenYou cannot enable a third-party script to participate in an origin trial on your site by only registering a token for your origin and forgetting the script.
Third-party scripts need to use tokens with third-party matching enabled, injected with the script itself. These tokens cannot be included in a meta tag or header on your site. The JavaScript may look like the following:
// Add a third-party OT token
function addTrialToken(tokenContents) {
const tokenElement = document.createElement('meta');
tokenElement.httpEquiv = 'origin-trial';
tokenElement.content = tokenContents;
document.head.appendChild(tokenElement);
}
Third-party tokens are validated against the origin of the script that injected them. However, inline scripts and <meta> tags in static markup don't have an origin.
This means that a third-party token must be provided with an external script, not in a <meta> tag or inline script. It doesn't matter if the external script that injects the token comes from the same origin as the containing page or a different origin, as long as the origin of the script matches an origin registered for the trial.
See a demo of this at ot-iframe-3p.glitch.me.
Note: You can add multiple tokens to the same page, for the same origin trial or for different trials. Origin trial feature access is supported for the method used to provide a trial tokenSome types of access to origin trial features require you to provide a trial token in a specific way. For example, the only way to enable origin trial access for service workers and shared workers is to provide a token in an Origin-Trial header.
If an origin trial feature doesn't seem to be working for some pages on your site, check that tokens are correctly set up for the subdomains serving them.
When you register for an origin trial, you can optionally choose to match all subdomains of the origin:
You can also match subdomains for third-party tokens:
Subdomain tokens are not issued for origins in the Public Suffix List. For example, you cannot register an origin such as https://appspot.com or https://github.io, though you can register for domains within that origin, such as https://example.appspot.com or https://example.github.io.
Tokens are valid for six weeks after they're created. Beyond that, you must submit feedback in order to extend the Valid Until date. Origin Trials Guide for Web Developers explains how to make sure your token is valid for an entire origin trial.
Note: There is always a gap after the end of the final origin trial for a feature, and when the feature begins rolling out to all Chrome users. Usually, it's two weeks. In other words, there is always a time when a feature is no longer available in origin trial and not yet available by default. Read more about trial timelines.You can check for active tokens on your Chrome Origin Trials My Registrations page:
Chrome DevTools displays Status Success if the token is still valid:
If your token has expired, DevTools displays the status Expired and your My Registrations page displays an Expired Tokens section.
You can check the end date for an origin trial from its registration page:
For trials that have ended, DevTools displays something like this:
You are sent automated emails when feedback is required or a token is about to expire, but not when the trial ends.
Caution: There may be more than one origin trial for a feature. Some features undergo multiple origin trials before being rolled out to Chrome Stable for all users. Check the blink-dev mailing list for updates on the status of the feature you're testing. The origin trial is available for the current userSome origin trials are unavailable to certain users, even if a valid token is provided.
If a trial isn't available for the current user, Chrome DevTools displays a TrialNotAllowed warning:
Information about usage restrictions and availability is provided for each origin trial.
As with any web platform feature, you should use feature detection to confirm that an origin trial feature is supported before you use it.
Origin trial usage restrictions haven't been exceededBy default, an origin trial feature is enabled on any page that has a valid token for the trial.
Except in rare cases, origin trial usage is limited to a maximum of 0.5% of all Chrome page loads. The origin trial feature is disabled if total usage by all Chrome users exceeds that amount. DevTools displays the token status as disabled.
There are no usage limits for deprecation trials, as they don't introduce new features, and therefore don't pose a risk of making a significant proportion of the web dependent on a trial feature.
Note: The Expected Usage field on the trial registration page doesn't impact your origin trial token. It's purely informational for Chrome's origin trial team.Some trials provide an option to limit usage, which means origin trial features are disabled for some users. This option is made available from the registration page for an origin trial that offers it:
If you notice that access by your users to an origin trial feature is lower than expected, make sure that Standard Limit is selected.
Key Point: Access to trials is limited to specific versions of Chrome. In some cases, this may mean a trial feature is only available to pre-Stable Chrome channels: Canary, Dev and Beta. Check that the origin trial is enabled for the Chrome versions accessing your site. Iframes provide their own tokensTo allow access to an origin trial feature, an iframe must provide a token in a meta tag, an HTTP header, or programmatically. Iframes don't inherit access to features enabled for pages that contain them.
ot-iframe.glitch.me demonstrates access to an origin trial feature from an iframe. ot-iframe-3p.glitch.me provides multiple cross-origin iframe examples.
Caution: When you register for a trial, don't select Third-party matching just because you plan to access a trial feature from an iframe! A third-party token only activates a trial feature if it's provided in an external JavaScript file, included with a<script> element. Third-party tokens won't work when provided in a meta tag, inline script or HTTP header. Permissions policies are correctly configured
Some origin trial features may be affected by a Permissions-Policy. You can check for this in the Intent to Experiment for the trial feature, or in developer documentation for the feature on developer.chrome.com/docs.
Make sure the feature you are attempting to access is not blocked by a Permissions-Policy directive. You can check for response headers in the Chrome DevTools Network panel, and view the full list of allowed features in the Application panel.
Origin trials features can be made available to service workers, shared workers, and dedicated workers. To enable access for service workers and shared workers, you must provide a token in an Origin-Trial header.
Dedicated workers inherit access to features enabled by their parent document.
Token is provided before feature is accessedMake sure that an origin trial token is provided before a trial feature is accessed. For example, if a page provides a token with JavaScript, make sure the code to provide the token is run before code that attempts to access the trial feature.
Origin trial demosThe following sites show examples of token deployment.
How to provide an origin trial tokenThe following are demos for APIs in ongoing origin trials
Find out moreRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3