Google no longer allowing embedded webviews as it is a disallowed_useragent for OAuth sign in. For most situations, this is completely fine and there is a workaround. However, I have run into a situation where this prevents websites from being able to use a web-server OAuth implementation.
The Issue:
Nginx PHP server running the Google PHP SDK, using their O-Auth implementation. This works fine on everything except embed browsers. Typically this is okay, however, if a user tries to sign up to our website in an app which uses an embedded browser, we get the disallowed_useragent error (See picture at bottom). This doesn't appear to be a problem in Android Facebook Messenger but can be replicated on the iPhone 7 Plus Facebook Messenger.
Current Research:
I tried to look for explicit workarounds. E.g. ways to force the link to open in the primary phone browser (e.g. Safari app) but all implementations point to app side fixes, which can't be done from a website.
Question:
How can I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra manual action (e.g. Open in Safari/Chrome)?
This question is very opinion based but I will give you my opinion.
How should I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra action?
You cant really. If someone is using an embedded browser in Facebook messenger (embedded browser) to open your auth link its not going to work. To my knowledge there is no way to force or over ride Facebook messenger or any other app that uses its own embedded browser. Again this is just my opinion but there are a lot of apps out which have started forcing their users to use these embedded browser's. One could question how secure they are and that it is better to use the real installed browser. Do you think this is why google has enabled this to begin with?
I would like to avoid going down the road of detecting the user-agent web-side and force the user to open the link in Safari.
I don't know that sounds like a pretty decent solution to me. It may feel a like over kill a little but if it works go with it.
There's another scenario that is causing issues.
If you have a web app - not a native app with an embedded browser - the user can always choose to put the shortcut to the HomeScreen in iOS.
But when they go to that HomeScreen shortcut to run the app, it will strip "Safari/6xx.x" from the user agent string.
Now, Google sees this as an "Embedded Browser" and denies access to OAuth.
So - "No Web-App-Capable" for you!
If you turn off this meta tag:
<meta name="apple-mobile-web-app-capable" content="yes"/>
two things happen in iOS:
The website now opens in the Safari browser window instead of the cleaner Web-App method.
The website uses the complete Safari useragent which will allow OAuth to work.
The real shame here is that the decisions of Google (To deny non-standard browsers to access OAuth) and Apple (To remove the Safari version in the user agent for homescreen shortcuts) have backed us into the corner where any site that could look really nice in web-app mode can't utilize this OAuth from google.
I've been trying to find a way to spoof the user agent to add the safari version into it so that everything works in homescreen web-apps, but I don't think I can make it work. It seems that safari doesn't allow you to change the navigator.userAgent and on top of that, I'm not sure how it would handle new popup windows in WebApp mode.
Related
My website has Facebook log in function, which does not work if user views my site on facebook app, messenger app, iOS chrome app, Gmail app of iPhone.
Therefore, I need to force user to open site on Safari in such case.
Is there any way to do that? My site is built by wordpress.
Thanks!
UPDATE 1: I am thinking about a javascript to detect if users is on iOS, then pop up a javascript to ask if user wants to view on safari. Is it possible?
If you are in an Apple app like Mail, Messages, Notes etc. It will open with Safari, but if you are in another app eg. Facebook, Twitter, anything developed by a developer, you can't choose how you want to handle URLs in their app, that is up to the developer, and as a developer and Apple guidelines, it is best to open URLs in app so that the user don't leave your app. They use Safari anyway as UIWebView is a component of Safari, and we use UIWebView to browse inside our apps. (This can be manipulated, but still doesn't change the answer as to where you can't control how to handle links inside apps.)
It's not possible to open a specific browser (Safari in your case) from a website.
If you're working on an app, you might want to have a look at SFSafariViewController.
Have a brief idea about different kind of webviews in iOS here
I am building an auction app for a music festival and the app is being embedded into the festival's site via an iFrame.
The problem I'm having is with Chrome. When viewed directly (on the source site) I can log in to the app fine, but when viewing the app through the iFrame on the festival's website I can't seem to log in. However, I can still register users. I should also note that this system was built on CodeIgnitor.
I have absolutely no clue why this is happening? Does it have to do with cross-domain policies? Any help on this is much appreciated.
The site you are interacting with probably has implemented a protection against Clickjacking. The protection usually includes either breaking out of iFrames or completely blocking all requests coming out of iFrames.
I would contact the site developer and inquire regarding any implemented clickjacking protections they have in place - they may be able to whitelist your domain name, but this depends on their technology etc.
Essentially I would like to be able to use an appcache file on my site but only for mobile devices, to enable those devices to view the website/webapp I am developing offline, however desktops/laptops often have access to the internet and I would rather these view the site as is, with no manifest/caching etc..
I am aware user agent sniffing is at best unreliable although can provide some good results, if this could be avoided it would be best.
The site/webapp I am developing is built in HTML/CSS/JS/PHP and uses responsive layouts to serve the same pages of the site to each device with customised views/layouts depending on the devices width (using css media queries).
Thanks for any help in advance, all my searches for this specifically have proved unfruitful :(
Update
After Robertc's comments below I would like to clarify that it is Desktop Browsers (ie the very same browsers that are used on laptops) that I would like to exclude any caching from via appcache/manifest file... This is a requirement from client and also from me as programmatically it seems easier to target desktops and laptops together as they are using same software/OS...
More specifically my webapp needs to support caching via appcache/manifest on iOS, Android & Blackberry (although it would be nice to have all tablets/smartphones) so maybe the question is how to find one of these devices and include the appcache reference, however this looks like it is leading down the path of user agent sniffing which I was hoping to avoid...
Because the browser does check the Appcache.manifast before everything else happens, you have to do an additional serverside detection. You cannot load the appcache.manifest by javascript.
Make a Serverside detection on the Useragent and deliver the HTML with manifest if you get a request from iphone, ipad, android etc. and without manifest in the other cases.
User Agent checking is the best approach. You deliver your site for people who doesn't fake there User Agent.
User agent test with php for mobile devices (just add your devices you need):
Mobile regexp user agent
http://chrisschuld.com/projects/browser-php-detecting-a-users-browser-from-php/
I have an android app on Google Play and also an website where.
For the moment, I am using javascript to detect if the device connected to the website is an android device. If is, I am displaying a popup dialog on the device inviting the user to download the app from the PlayStore. If the user clicks ok, he will be redirected to the PlayStore page of my app, I f he clicks no, he will continue using the browser.
Now, the problem is that when the user have installed the app and tryes to access the webpage again, he will be asked again to download the app, even if he allready installed it (which is not a good idea).
Do you know a solution on how to check if the user has allready the app installed on his mobile device?
It is also possible to do android detection with php, so if you have a method with php to detect if the app is installed, I can also use it.
Thank you very much.
I don't think this is possible for security reasons. I would not want some random website I visit to be able to access my phone Package Manager and find out what apps I have installed.
This would raise a lot of privacy and security concerns.
But I saw one answer that might have a different way of achieving your intent that might be useful to you:
https://stackoverflow.com/a/12901352/1369222
Even if the user doesn't install your application, your web site shouldn't ask more than one or two times to download your application from the PlayStore. The usual way of doing this is to use the browser's cookies in order to remember if it's a new visitor or not. It's not full proof because the cookies functionality could have been deactivated but at least, you won't have to worry about this problem for most of your visitors.
I should identify whether the site is accessed by mobile or web. I am using $_SERVER['HTTP_USER_AGENT'] to identify this. Based on that am loading mobile site.
Everything works fine.
My Problem is, If I change the browser settings in blackberry, from blackberry to Firefox or IE, then it is loading the normal site instead of mobile site.
How to overcome this problem? Please help.
NOTE : Am checking in Blackberry 5
You cannot. You are completely dependent on the browser to tell you what it is. User-agent spoofing blasts that "trust" out of the water.
Instead, you can do "functional" tests in Javascript/CSS that provide features for supporting browsers and fallback mechanisms for non-supporting browsers.
But if you want to switch to a mobile site then you really do just have to do as the browser asks. That's the server's job, anyway; if the user has gone out of their way to pretend that their phone is a normal PC, then that's their choice and your server should just do as it's told.
This is why the option exists in the Blackberry browser in the first place.
As an example, I sometimes find myself making my Android browser spoof itself as Firefox on Windows, so that I can use the normal Facebook site and access features that Facebook haven't implemented on their mobile version.