I developed a html5 page to list google drive files and test with PhoneGap server. All works fine, because I created a Oauth2 with http://localhost:3000 configured.
When I tried to test a APK file, with SHA1 (also configured on Oauth2 in google drive console), I received the error:
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=<KEY>' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. I understand that this error is because the Oauth2 doesn't expect the origin. But the Origin is not http, if file know... (file:///android_asset/www/index.html). The GoogleAPI Console doesn't accept 'file' protocol... just 'http'.
How can I solve this?
According to solution given in this SO post - Refused to display in an frame because it set 'X-Frame-Options' to 'SAMEORIGIN', regarding error encountered:
This is not related to disabling security in chrome browser. I believe there might me some issues with my XAMPP Windows local host.Deploying the same application in node.js server or hosting Dropbox/Google Drive as a web app also works fine.
Additionally, to make a request, as discussed in step #2 from the basic steps in using OAuth 2.0 to Access Google APIs, obtain an access token from the Google Authorization Server. Ways to make a request are as follows:
a JavaScript application might request an access token using a browser redirect to Google
an application installed on a device that has no browser uses web service requests.
Sample scenarios which you can use can be found in the documentation.
Related
I want to login using coinbase oauth2 in my flutter app android and ios .I use flutter_web_auth package , the authentication is stuck on processing for android(all the android native code and coinbase API setup is correct) and works well for ios .Below is the link for more details .
https://github.com/LinusU/flutter_web_auth/issues/83
I tried below link in android 10, chrome browser it is stuck on processing page ,
https://www.coinbase.com/oauth/authorize?response_type=code&client_id=your_client_is&redirect_uri=your_redirect_uri ,but the same link works well in laptop
when i inspect the chrome browser of android phone it gives below error (works well on firefox mobile browser though)
jquery-cb0decd18b4b0abbece3cfc180d9adc8e11dfa693cf34c2ff1ffcda86e725301.js:2 Mixed Content: The page at 'https://www.coinbase.com/oauth/authorize' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'my.myapp.app://myapp-oauth'. This endpoint should be made available over a secure connection.
jquery-cb0decd18b4b0abbece3cfc180d9adc8e11dfa693cf34c2ff1ffcda86e725301.js:2 Mixed Content: The page at 'https://www.coinbase.com/oauth/authorize' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'my.myapp.app://myapp-oauth/'. This endpoint should be made available over a secure connection.
trigger # jquery-cb0decd18b4b0abbece3cfc180d9adc8e11dfa693cf34c2ff1ffcda86e725301.js:2
authorize:1
Navigation is blocked: my.myapp.app://myapp-oauth?code=1cbfd2f26d220a5fda629f6dc75b0ea6c7281c946863452be4415ca04dbea5c6&state=alcmwppxlk9p5k3wbbxyv5t4a
I'm pretty new to Android / mobile programming.
Is it possible to create an Android App that talks directly to the Google Photos API without my own server / backend? I see most of the examples have a Java server, but for the simple app I'm trying to build, I don't want/need the extra server.
In particular, the part I'm struggling with is obtaining Credentials used in this class [1] from Android. I can't figure out how to get a refresh token, and the included code on github does not run on Android (only on a server).
[1] https://github.com/google/java-photoslibrary/blob/a26b5de8924b68158d759a478af425f267a344a8/sample/src/main/java/com/google/photos/library/sample/factories/PhotosLibraryClientFactory.java
Thanks!
I have a cordova/ionic mobile app that loads google maps (in the index.html main file) into the app (both android and ios) using: https://maps.googleapis.com/maps/api/js?key=AndroidKey and https://maps.googleapis.com/maps/api/js?key=iOSKey. Each key is locked down with "app" restrictions and its not working. I discovered that web service api's can only be locked down by HTTP referrer OR Server IP.
But since the maps are loaded directly via the client, there is no HTTP referrer by domain or a server IP...is there any other way I can lock down the API keys?
Can I use something like https://github.com/wymsee/cordova-HTTP to create an HTTP referer? And if I can, what kind of legit domain referrer can I create that would work with google maps api HTTP referer restrictions?
update:
someone marked this as a dup, but that post is about Android SDK API, whereas mine is about Javascript Map API.
in ionic 3/4/5 when using cordova-plugin-ionic-webview (docs) the referrer is ionic://localhost for iOS and http://localhost for Android.
first solution is to customize the scheme and/or hostname - this sounds like a reasonable option as this way the referrer can be set to sth like https://mobileapp.author.domain.com/ which cannot be easily stolen by a website (well another app could possible set the same).
similarly for capacitor "server": {"hostname": "mobileapp.author.domain.com"} can be used (as per this SO answer: How to protect Google Maps API key on Ionic app? )
quick'n'dirty option is to add a *://localhost/* as a website restriction - this is the only way I found to whitelist the ionic://localhost/ referrer. This should also work for capacitor which uses capacitor://localhost/
I am building a progressive web app on Google App Engine.
Authentication is via Google API.
It is all working fine on a desktop browser, but when I access the app on a mobile phone browser (both iPhone and Android), the authentication button is hidden.
(I don't think this is because I am using service workers and it has cached an older version of the code, because I have just accessed it on a fresh phone and it is still doing it.)
Could this be a cross-origin or cross-domain conflict?
I have found the answer, and it now works.
The answer was to enable CORS (Cross-Origin Resource Sharing) with static hosted content on Google Appengine
(link found on the Enable CORS website)
I'm using getUserMedia() in my web app which works fine when I test my app on localhost. But if I treat my laptop as server and launch app in Google Chrome browser of my android phone, it gives me the error:
getUserMedia() no longer works on insecure origins. To use this
feature, you should consider switching your application to a secure
origin, such as HTTPS. See https://goo.gl/rStTGz for more details.
When I checked [https://goo.gl/rStTGz][1] I got to know that getUserMedia() is deprecated on insecure origins. It is written that for development mode,
You can run chrome with the
--unsafely-treat-insecure-origin-as-secure="example.com" flag (replacing "example.com" with the origin you actually want to test)
How and where can I set this flag? Is there any other alternative?
This can be done from chrome://flags/ or about://flags.
Go to about://flags, search for unsafely-treat-insecure-origin-as-secure flag, and enable it. You will have to provide the origin which you want to be treated as secure.
Multiple origins can be entered as comma-separated values.
Relaunch your browser after making this change.
Note that the protocol part is also important, and specifying the IP address, or the domain name isn't enough. eg. http:// in http://192.168.43.45. If you are not using port 80, then you may have to specify that too.
The following is a screenshot from my mobile phone.
Mobile: Samsung Galaxy S10e
Android version: 10 (Android 10)
Google Chrome version: 79.0.3945.136
For local testing of a website I am building, geolocation was needed.
Geolocation is allowed in secure locations. I do have a production server with HTTPS certificate, but the development and the debugging process would become too slow if I have to upload content to it every time.
More info
https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
Move localhost to the device
One method is to run an HTTP server on your Android device. The consensus in answers to this question is that NanoHTTPD is worth trying. If you want a ready-made application, a web search for http server for android turned up Simple HTTP Server on Google Play Store. After copying the client side of your web application to the device and starting the server, you should be able to open http://localhost:12345 in Chrome for Android.
Or make your test server secure
You can test secure-context-only features without using --unsafely-treat-insecure-origin-as-secure by turning your existing test server into a potentially trustworthy origin. Follow these steps:
If you do not already own a domain at a registrar that bundles DNS hosting compatible with the dehydrated ACME client, register one. This incurs a fee, which recurs as long as you keep the domain active.
Point a subdomain at your test web server's internal IP address. It need not be reachable from the Internet.
Configure your test web server to respond to HTTPS on port 443 of this subdomain, using NameVirtualHost or the like.
Use the dehydrated ACME client with the appropriate dns-01 hook for your DNS host to obtain a certificate from Let's Encrypt for your test web server.
Install this certificate into your test web server.
I faced with this problem too, but in Chromium, Ubuntu. I solved the problem with running this command in console:
chromium-browser --unsafely-treat-insecure-origin-as-secure="http://localhost.dev:3000" --user-data-dir=~/.config/chromium/Profile 1
where localhost.dev:3000 is your website.
For other systems information there:
where is data directory
how to launch chrome and set keys
Short information about --unsafely-treat-insecure-origin-as-secure flag:
Treat given (insecure) origins as secure origins. Multiple origins can
be supplied. Has no effect unless --user-data-dir is also supplied.
Example:
--unsafely-treat-insecure-origin-as-secure=http://a.test,http://b.test --user-data-dir=/test/only/profile/dir
I didn't check, but for android you maybe can also set flags on chrome://flags page.