First, I want to emphasize that you really should be using https when handling user credentials. If you can, get an SSL certificate and serve your content over https. By using HTTPS, you can prevent MiTM attacks and user information leaks.
That aside, there are a number of potential sources triggering the warning:
If you are using the Sign-in button from a page serving HTTP instead of the more secure HTTPS, sometimes communication with the sign-in servers gets blocked. If sign-in sometimes works and sometimes doesn't, this may be the cause.
If your authorized JavaScript origin protocol (http / https) doesn't match, the Google authorization server will reject your client (http://yoursite.com when you meant https://yoursite.com)
If your authorized JavaScript origin does not match (e.g. you put .com in the authorized origin, when you meant yoursite.com) then the OAuth server will reject your frame.
Listing your authorized origins (obfuscated for security) from the Google Developer Console and the site might help to determine what's going on in your case.
A few things you can change to see if it helps:
- Try changing your cookie policy to either
'single_host_origin' or to 'http://yoursite.com'.
- Try cleaning the authorized origins in the developer console to only include your http:// domain.
- Try accessing your site from an incognito tab, if this works, your browser cookies may be in a bad state for the site.
- Try using Chrome network diagnostics to see if specific requests are failing.
- Try replacing any includes that use an explicit protocol with includes referencing a relative protocol (e.g. replace
<script src="https://foo.bar/include.js" /> with <script src="//foo.bar/include.js" />)
