I have been viewing my Google App Engine endpoint APIs in the API explorer (localhost) without issues, now am getting this:
in full it says:
You are exploring an API that is described or served via HTTP instead of HTTPS. This is insecure and may be blocked by your browser. To fix this, set up a TLS proxy for your API. Alternatively, you can tell your browser to allow active content via HTTP at this site (on Chrome, click the shield in the URL bar), but this will not improve security or dismiss this message.
This is one of the API methods I have in my endpoint:
#ApiMethod(
name = "insert",
path = "movie",
httpMethod = ApiMethod.HttpMethod.POST)
public Movie insert(Movie movie) throws UnauthorizedException {
...
}
Since I do not know what's causing this all of a sudden, I do not know what else to show.I've tried updating my browsers (Firefox, Opera, Chrome) with no luck.
The same problem appeared to me today
For now if you are using chrome you can click on the shield icon on the right of the URL bar and click on something saying load scripts anyway and your API should appear.
Image: http://i.gyazo.com/f16a557c4b53c147f31067029d15c093.png
You will likely want to use a browser-based workaround, such as the shield icon on Chrome. This was recently added to address a security vulnerability. Unfortunately, we are unable to do better than this. A colleague suggests that stunnel may be viable for setting up a TLS proxy, if you want to go that route.
Related
I have implemented login using ChromeCustomTabsBrowser. After successful login, if app's Open Supported links setting is set to "Ask evety time" instead of "Open in this app", response is not getting back to the app and showing 404 screen as attached in screen.
Interesting - looks like you are using an https scheme for redirects and here is how we'd like the technology to work:
You are automatically deep linked back to your app when a login response is received over the https URL.
However, in practice I believe this is what happens:
Almost all mobile browsers try to run an internet hosted web page instead
A claimed https scheme solution is very hard to achieve and rarely used in practice today - more of an aspiration than a reality? But I believe it would need to work like this:
Capture the response on the internet web page which runs on your mobile device
Then deep link back to the app
A similar approach is used by a sample internet web page of mine - do a view source to see the logic
If it helps I have a demo Android sample that instead uses the more mainstream option of private URI schemes - though I may update it to claimed https schemes one of these days.
Code
Explanatory Articles
Even getting this form of Chrome Custom Tab based login working was a struggle, and my posts have some lessons learned that may be useful.
I have developed a xamarin form app that it uses MS Graph in order to user sign in. I have used samples of GitHub that open a new browser activity where user sign in and then the app goes to home activity. It works correctly. But some users have blocked or deleted Chrome app in order to use MS Edge as default browser, and then when app tries to start the browser activity, it launches an error because it can’t find chrome activity. I have asked on MS Graph GitHub (https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/242 ) but they and I are thinking that it isn’t problem of SDK but I don’t know how I could fix it. How should I fix it in order to work with any installed browser?
Thank you
It is done by design. The Microsoft Identity Client library uses Custom Chrome tabs and does not have any fallback strategy to run using a WebView.
You are probably encountering this exception thrown when it doesn't find Chrome installed: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/dev/src/Microsoft.Identity.Client/Platforms/Android/AuthenticationActivity.cs#L131
string chromePackageWithCustomTabSupport = GetChromePackageWithCustomTabSupport(ApplicationContext);
if (string.IsNullOrEmpty(chromePackageWithCustomTabSupport))
{
string chromePackage = GetChromePackage();
if (string.IsNullOrEmpty(chromePackage))
{
throw new MsalClientException(MsalClientException.ChromeNotInstalledError,
"Chrome is not installed on the device, cannot proceed with authentication");
}
#Cheesebaron is correct, this is by design. Currently, Xamarin Android in MSAL can only launch chrome or chrome custom tabs. If the device doesn't have them, it will cause an exception, as you noted above.
#cansado2930 This part of the error message pkg=com.android.chrome means Chrome is not installed on the device.
Embedded webview support in MSAL will be an option in near future.
Here's a link to the issue in the MSAL repo.
I've got a problem with an enterprise intranet (accessible only on the enterprise network).
This website needs a certificate installed on the tablet to be called. At launch, the website calls more than 10 urls that are also secured.
The certificate is correctly installed on the tablet.
On chrome for Windows, we've got no problem at all.
But when we try to access the website from a chrome for Android, Chrome keeps asking wich certificate to use (same problem described there)
So actually, when you connect to the website, you have more than 10 popup that ask you wich certificate to use. When you restart the device, you have to do it again.
I found the http://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls but it doesn't seem to work on Android devices
I wanted to make an APK with Chrome Custom Tabs, I wanted to "pre-laod" urls calling and intercept for certificate asking, then I wisked I would be able to give it the right one, but it doesn't seem to be possible...
So I wondering how I could do, I'm new in android coding, so I don't know all the possibilities....
Any ideas ?
Thanks !
The solution was to implement the WebView component, that allows you to intercept the certificate request from the server.
You'll have to implement the WebViewClient class, and to use the onReceivedClientCertRequest :
#Override
public void onReceivedClientCertRequest(WebView view, final ClientCertRequest request) {
Log.d(TAG, "Asking for certificate - url " + request.getHost() + " - " + request.getPort());
request.proceed(mPrivateKey, mCertificates);
}
I wanted to retrieve the certificate from the android keystore, I shared the solution here.
I've been redirecting my users for the past year from my domain:
http://example.com/get
to: market://details?id=com.example.myapp
Today I've check this on Nexus 5/LG G3/OnePlus One from the chrome browser app and it stopped working!
Now, when my users try to download the app they are redirected to a broken link.
Anyone know anything about this change in the Chrome app in Android?
from reading the chrome's version 40 release, there are some insight i d like to share
http://blog.chromium.org/2014/12/chrome-40-beta-powerful-offline-and.html
they updated to Content Security Policy Level 2, which has a stronger control over redirects.
https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1
The path component of a source expression is now ignored if the resource being loaded is the result of a redirect, as described in §4.2.2.3 Paths and Redirects.
Redirects are blocked by default, and explicitly allowed with a new unsafe-redirect expression.
So I did some testing. if your initial action started from redirect (no matter window.location or http 302) it will show an error. but once i created a hyperlink to market:// and explicitly clicked it, it worked fine.
for now i ended up creating a webpage in between, where i ask the user to click the link to proceed.
I was testing this url on different devices with different OS/Play Store/ Play Services/ Browsers. looks like it's related to browser but not OS or Play Services.
Initially I updated Play Services and Google Play Store and my old Chrome (v18) was opening market://details?id= url fine.
Afterward I had updated my Chrome (v18) to version 40. And it's not working any more.
Meanwhile, FireFox and default "Browsers" still opens this url and redirects to Google Play Store app.
P.S. I have registered issue in Chromium bug tracker. Let's see if there will be any response:
https://code.google.com/p/chromium/issues/detail?can=2&q=market&colspec=ID%20Pri%20M%20Week%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified&id=454396&thanks=454396&ts=1422888121
UPDATE [6.05.15] : Unfortunately, they decided not to fix this issue, saying, that it's planned behaviour. As they said, user should click the link by himself. Only then re-direct to the app on devices is allowed.
So, there is only one "work-around", that I see for now: create a page, that contains text like "Click link below to go to the app", followed by link like:
Load Example App
or
<a href="intent://foo.bar#Intent;scheme=blabla;package=com.example.myapp;end" > Load App/ Activate your Profile </a>
Try the link below, replacing your.app.id with your own identifier:
https://play.app.goo.gl/?link=https://play.google.com/store/apps/details?id=your.app.id&ddl=1&pcampaignid=web_ddl_1
I created my first Sencha touch 2 app by watching this video (http://youtu.be/5F7Gx0-W-M4) and it has a store page structured like this:
Ext.define('FirstApp.store.Places',{
extend:'Ext.data.Store',
config:{
autoLoad:true,
model:'FirstApp.model.Place',
proxy:{
type:'ajax',
url:'https://maps.googleapis.com/maps/api/place/search/json?location=-33.8670522,151.1957362&radius=500&types=food&name=harbour&sensor=false&key=AIzaSyCFWZSKDslql5GZR0OJlVcgoQJP1UKgZ5U',
reader:{
type:'json',
rootProperty:'results'
}
}
}
})
The after-build (after running "sencha app build native") package work very well on my MAC (all browsers) but the generated app (i am running it on my nexus phone) works but doesn't collect any data from the google maps json.
Any help would be appreciated
The example you are referring is using google map's place search API. You can not use this API when you build the app for mobile phone with proxy set to ajax . Basically, you can not use any resource that is outside your domain. Like if your site is at yourdomain.com and there is someotherdomain.com, then you can't make ajax request to this someotherdomain.com from yourdomain.com unless that domain allows you to. In this case, your mobile app is not having any domain. You are just loading a page inside webview.
The reason is, ajax will not be able to load cross-origin resources. App build works on browsers because I believe you're using chrome with --disable-web-security flag. To work with CORS you need to use JsonP proxy. It's the only way if you're packaging for mobile app. If in a case, you own the server ( not in this context though ) then you can allow CORS by setting appropriate headers like
Access-Control-Allow-Origin: *
or
Access-Control-Allow-Origin: http://yourdomain.com/resource
Try setting proxy to JsonP .