This sounds obnoxious and potentially anti-competitive. But I think it’s restricted to OAuth flows, which would indeed only affect other sites that allow the user to sign in with their Google account. So that would be the thing to test.
On Nov 17, 2020, at 12:20 PM, Michael Catanzaro via webkit-dev <webkit-dev@lists.webkit.org> wrote:
On Tue, Nov 17, 2020 at 12:50 pm, Michael Catanzaro <mcatanzaro@gnome.org> wrote:
Oh, I missed a very important point. There is a header we can use to test: Google-Accounts-Check-OAuth-Login:true. I will try to figure out how to hack up the libsoup backend to send that header with all requests and see what happens....
I tested this hack:
diff --git a/Source/WebCore/platform/network/HTTPHeaderNames.in b/Source/WebCore/platform/network/HTTPHeaderNames.in index cbc470412f9f..eb19ab00a054 100644 --- a/Source/WebCore/platform/network/HTTPHeaderNames.in +++ b/Source/WebCore/platform/network/HTTPHeaderNames.in @@ -109,3 +109,5 @@ X-Temp-Tablet // These headers are specific to GStreamer. Icy-MetaInt Icy-Metadata + +Google-Accounts-Check-OAuth-Login diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h b/Source/WebCore/platform/network/ResourceRequestBase.h index 6c9ce5cccefe..db234c37271f 100644 --- a/Source/WebCore/platform/network/ResourceRequestBase.h +++ b/Source/WebCore/platform/network/ResourceRequestBase.h @@ -206,6 +206,7 @@ protected: , m_hiddenFromInspector(false) , m_isTopSite(false) { + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true"); }
ResourceRequestBase(const URL& url, ResourceRequestCachePolicy policy) @@ -221,6 +222,7 @@ protected: , m_hiddenFromInspector(false) , m_isTopSite(false) { + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true"); }
void updatePlatformRequest(HTTPBodyUpdatePolicy = HTTPBodyUpdatePolicy::DoNotUpdateHTTPBody) const;
And confirmed in the web inspector to ensure the header is really sent. Login still works. So... maybe we will be OK? I'm not sure. I tested direct login via google.com. I'm confused as to how this change is in any way related to OAuth. Maybe it will only break for third-party websites that allow logging in with a Google account? I guess we'll find out....
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev