This sounds obnoxious and potentially anti-competitive. But I think it’s restricted to OAuth flows, which would indeed only affect other sites that allow the user to sign in with their Google account. So that would be the thing to test.
> On Nov 17, 2020, at 12:20 PM, Michael Catanzaro via webkit-dev > <[email protected]> wrote: > > On Tue, Nov 17, 2020 at 12:50 pm, Michael Catanzaro <[email protected]> > wrote: >> Oh, I missed a very important point. There is a header we can use to test: >> Google-Accounts-Check-OAuth-Login:true. I will try to figure out how to hack >> up the libsoup backend to send that header with all requests and see what >> happens.... > > I tested this hack: > > diff --git a/Source/WebCore/platform/network/HTTPHeaderNames.in > b/Source/WebCore/platform/network/HTTPHeaderNames.in > index cbc470412f9f..eb19ab00a054 100644 > --- a/Source/WebCore/platform/network/HTTPHeaderNames.in > +++ b/Source/WebCore/platform/network/HTTPHeaderNames.in > @@ -109,3 +109,5 @@ X-Temp-Tablet > // These headers are specific to GStreamer. > Icy-MetaInt > Icy-Metadata > + > +Google-Accounts-Check-OAuth-Login > diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h > b/Source/WebCore/platform/network/ResourceRequestBase.h > index 6c9ce5cccefe..db234c37271f 100644 > --- a/Source/WebCore/platform/network/ResourceRequestBase.h > +++ b/Source/WebCore/platform/network/ResourceRequestBase.h > @@ -206,6 +206,7 @@ protected: > , m_hiddenFromInspector(false) > , m_isTopSite(false) > { > + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true"); > } > > ResourceRequestBase(const URL& url, ResourceRequestCachePolicy policy) > @@ -221,6 +222,7 @@ protected: > , m_hiddenFromInspector(false) > , m_isTopSite(false) > { > + addHTTPHeaderField(HTTPHeaderName::GoogleAccountsCheckOAuthLogin, "true"); > } > > void updatePlatformRequest(HTTPBodyUpdatePolicy = > HTTPBodyUpdatePolicy::DoNotUpdateHTTPBody) const; > > > And confirmed in the web inspector to ensure the header is really sent. Login > still works. So... maybe we will be OK? I'm not sure. I tested direct login > via google.com. I'm confused as to how this change is in any way related to > OAuth. Maybe it will only break for third-party websites that allow logging > in with a Google account? I guess we'll find out.... > > > _______________________________________________ > webkit-dev mailing list > [email protected] > https://lists.webkit.org/mailman/listinfo/webkit-dev _______________________________________________ webkit-dev mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-dev
