[webkit-dev] Starting January 4, 2021, Google will block all sign-ins to Google accounts from embedded browser frameworks

Michael Catanzaro mcatanzaro at gnome.org
Tue Nov 17 12:20:02 PST 2020 

On Tue, Nov 17, 2020 at 12:50 pm, Michael Catanzaro 
<mcatanzaro at gnome.org> wrote:
> Oh, I missed a very important point. There is a header we can use to 
> test: Google-Accounts-Check-OAuth-Login:true. I will try to figure 
> out how to hack up the libsoup backend to send that header with all 
> requests and see what happens....

I tested this hack:

diff --git a/Source/WebCore/platform/network/HTTPHeaderNames.in 
b/Source/WebCore/platform/network/HTTPHeaderNames.in
index cbc470412f9f..eb19ab00a054 100644
--- a/Source/WebCore/platform/network/HTTPHeaderNames.in
+++ b/Source/WebCore/platform/network/HTTPHeaderNames.in
@@ -109,3 +109,5 @@ X-Temp-Tablet
 // These headers are specific to GStreamer.
 Icy-MetaInt
 Icy-Metadata
+
+Google-Accounts-Check-OAuth-Login
diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h 
b/Source/WebCore/platform/network/ResourceRequestBase.h
index 6c9ce5cccefe..db234c37271f 100644
--- a/Source/WebCore/platform/network/ResourceRequestBase.h
+++ b/Source/WebCore/platform/network/ResourceRequestBase.h
@@ -206,6 +206,7 @@ protected:
         , m_hiddenFromInspector(false)
         , m_isTopSite(false)
     {
+ addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, 
"true");
     }

     ResourceRequestBase(const URL& url, ResourceRequestCachePolicy 
policy)
@@ -221,6 +222,7 @@ protected:
         , m_hiddenFromInspector(false)
         , m_isTopSite(false)
     {
+ addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, 
"true");
     }

     void updatePlatformRequest(HTTPBodyUpdatePolicy = 
HTTPBodyUpdatePolicy::DoNotUpdateHTTPBody) const;


And confirmed in the web inspector to ensure the header is really sent. 
Login still works. So... maybe we will be OK? I'm not sure. I tested 
direct login via google.com. I'm confused as to how this change is in 
any way related to OAuth. Maybe it will only break for third-party 
websites that allow logging in with a Google account? I guess we'll 
find out....

More information about the webkit-dev mailing list