Steerage to builders affected by our effort to dam much less safe browsers and functions
Posted by Lillan Marie Agerup, Product Supervisor
We’re at all times working to enhance safety protections of Google accounts. Our safety techniques robotically detect, alert and assist shield our customers in opposition to a spread of safety threats. One type of phishing, referred to as “man-in-the-middle”, is difficult to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or one other automation platform is getting used for authentication. MITM presents an authentication stream on these platforms and intercepts the communications between a consumer and Google to assemble the consumer’s credentials (together with the second consider some instances) and check in. To guard our customers from a majority of these assaults Google Account sign-ins from all embedded frameworks will likely be blocked beginning on January four, 2021. This block impacts CEF-based apps and different non-supported browsers.
To reduce the disruption of service to our companions, we’re offering this data to assist builders arrange OAuth 2.zero flows in supported user-agents. The knowledge on this doc outlines the next:
The right way to allow sign-in in your embedded framework-based apps utilizing browser-based OAuth 2.zero flows.
The right way to check for compatibility.
Apps that use embedded frameworks
In case you’re an app developer and use CEF or different shoppers for authorization on gadgets, use browser-based OAuth 2.zero flows. Alternatively, you should use a suitable full native browser for sign-in.
For limited-input machine functions, equivalent to functions that would not have entry to a browser or have restricted enter capabilities, use limited-input machine OAuth 2.zero flows.
Trendy browsers with safety updates will proceed to be supported.
The browser should not proxy or alter the community communication. Your browser should not do any of the next:
Rewrite HTTP headers
The browser should have a fairly full implementation of net requirements and browser options. You will need to affirm that your browser doesn’t comprise any of the next:
Textual content-based browsers
The browser should determine itself clearly within the Consumer-Agent. The browser should not attempt to impersonate one other browser like Chrome or Firefox.
The browser should not present automation options. This contains scripts that automate keystrokes or clicks, particularly to carry out automated sign-ins. We don’t permit sign-in from browsers based mostly on frameworks like CEF or Embedded Web Explorer.
Take a look at for compatibility
In case you’re a developer that at the moment makes use of CEF for sign-in, bear in mind that assist for any such authentication ends on January four, 2021. To confirm whether or not you will be affected by the change, check your utility for compatibility. To check your utility, add a selected HTTP header and worth to disable the allowlist. The next steps clarify methods to disable the allowlist:
Go to the place you ship requests to accounts.google.com.
Add Google-Accounts-Examine-OAuth-Login:true to your HTTP request headers.
The next instance particulars methods to disable the allowlist in CEF.
Be aware: You may add your customized headers in CefRequestHandler#OnBeforeResourceLoad.
To check manually in Chrome, use ModHeader to set the header. The header allows the adjustments for that specific request.
Setting the header utilizing ModHeader
Associated content material
See our earlier weblog submit about safety in opposition to man-in-the-middle phishing assaults.