[webkit-dev] Starting January 4, 2021, Google will block all sign-ins to Google accounts from embedded browser frameworks
Maciej Stachowiak
mjs at apple.com
Tue Nov 17 15:22:08 PST 2020
This sounds obnoxious and potentially anti-competitive. But I think it’s restricted to OAuth flows, which would indeed only affect other sites that allow the user to sign in with their Google account. So that would be the thing to test.
> On Nov 17, 2020, at 12:20 PM, Michael Catanzaro via webkit-dev <webkit-dev at lists.webkit.org> wrote:
>
> On Tue, Nov 17, 2020 at 12:50 pm, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
>> Oh, I missed a very important point. There is a header we can use to test: Google-Accounts-Check-OAuth-Login:true. I will try to figure out how to hack up the libsoup backend to send that header with all requests and see what happens....
>
> I tested this hack:
>
> diff --git a/Source/WebCore/platform/network/HTTPHeaderNames.in b/Source/WebCore/platform/network/HTTPHeaderNames.in
> index cbc470412f9f..eb19ab00a054 100644
> --- a/Source/WebCore/platform/network/HTTPHeaderNames.in
> +++ b/Source/WebCore/platform/network/HTTPHeaderNames.in
> @@ -109,3 +109,5 @@ X-Temp-Tablet
> // These headers are specific to GStreamer.
> Icy-MetaInt
> Icy-Metadata
> +
> +Google-Accounts-Check-OAuth-Login
> diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h b/Source/WebCore/platform/network/ResourceRequestBase.h
> index 6c9ce5cccefe..db234c37271f 100644
> --- a/Source/WebCore/platform/network/ResourceRequestBase.h
> +++ b/Source/WebCore/platform/network/ResourceRequestBase.h
> @@ -206,6 +206,7 @@ protected:
> , m_hiddenFromInspector(false)
> , m_isTopSite(false)
> {
> + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true");
> }
>
> ResourceRequestBase(const URL& url, ResourceRequestCachePolicy policy)
> @@ -221,6 +222,7 @@ protected:
> , m_hiddenFromInspector(false)
> , m_isTopSite(false)
> {
> + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true");
> }
>
> void updatePlatformRequest(HTTPBodyUpdatePolicy = HTTPBodyUpdatePolicy::DoNotUpdateHTTPBody) const;
>
>
> And confirmed in the web inspector to ensure the header is really sent. Login still works. So... maybe we will be OK? I'm not sure. I tested direct login via google.com. I'm confused as to how this change is in any way related to OAuth. Maybe it will only break for third-party websites that allow logging in with a Google account? I guess we'll find out....
>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
More information about the webkit-dev
mailing list