Steerage to builders affected by our effort to dam much less safe browsers and functions


Posted by Lillan Marie Agerup, Product Supervisor

We’re at all times working to enhance safety protections of Google accounts. Our safety techniques robotically detect, alert and assist shield our customers in opposition to a spread of safety threats. One type of phishing, referred to as “man-in-the-middle”, is difficult to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or one other automation platform is getting used for authentication. MITM presents an authentication stream on these platforms and intercepts the communications between a consumer and Google to assemble the consumer’s credentials (together with the second consider some instances) and check in. To guard our customers from a majority of these assaults Google Account sign-ins from all embedded frameworks will likely be blocked beginning on January four, 2021. This block impacts CEF-based apps and different non-supported browsers.

To reduce the disruption of service to our companions, we’re offering this data to assist builders arrange OAuth flows in supported user-agents. The knowledge on this doc outlines the next:

The right way to allow sign-in in your embedded framework-based apps utilizing browser-based OAuth flows.

The right way to check for compatibility.

Apps that use embedded frameworks

In case you’re an app developer and use CEF or different shoppers for authorization on gadgets, use browser-based OAuth flows. Alternatively, you should use a suitable full native browser for sign-in.

For limited-input machine functions, equivalent to functions that would not have entry to a browser or have restricted enter capabilities, use limited-input machine OAuth flows.


Trendy browsers with safety updates will proceed to be supported.

Browser requirements

The browser should have JavaScript enabled. For extra particulars, see our earlier weblog submit.

The browser should not proxy or alter the community communication. Your browser should not do any of the next:

Server-side rendering

HTTPS proxy

Replay requests

Rewrite HTTP headers

The browser should have a fairly full implementation of net requirements and browser options. You will need to affirm that your browser doesn’t comprise any of the next:

Headless browsers


Textual content-based browsers

The browser should determine itself clearly within the Consumer-Agent. The browser should not attempt to impersonate one other browser like Chrome or Firefox.

The browser should not present automation options. This contains scripts that automate keystrokes or clicks, particularly to carry out automated sign-ins. We don’t permit sign-in from browsers based mostly on frameworks like CEF or Embedded Web Explorer.

Take a look at for compatibility

In case you’re a developer that at the moment makes use of CEF for sign-in, bear in mind that assist for any such authentication ends on January four, 2021. To confirm whether or not you will be affected by the change, check your utility for compatibility. To check your utility, add a selected HTTP header and worth to disable the allowlist. The next steps clarify methods to disable the allowlist:

Go to the place you ship requests to

Add Google-Accounts-Examine-OAuth-Login:true to your HTTP request headers.

The next instance particulars methods to disable the allowlist in CEF.

Be aware: You may add your customized headers in CefRequestHandler#OnBeforeResourceLoad.

CefRequest::HeaderMap hdrMap;
hdrMap.insert(std::make_pair(“Google-Accounts-Examine-OAuth-Login”, “true”));

To check manually in Chrome, use ModHeader to set the header. The header allows the adjustments for that specific request.

Setting the header utilizing ModHeader

Associated content material

See our earlier weblog submit about safety in opposition to man-in-the-middle phishing assaults.