Google says they will be blocking sign-ins from CEF

Do not post support requests, bug reports or feature requests. Discuss CEF here. Non-CEF related discussion goes in General Discussion!

Google says they will be blocking sign-ins from CEF

Postby riku » Mon Apr 22, 2019 11:31 pm

I'm slightly worried about this blog post by Google: https://security.googleblog.com/2019/04 ... iddle.html

Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June.


The article makes CEF sound like it's only used for automation, but our use case for CEF has nothing to do with automation, we just need the off-screen-rendering mode for embedding web browsers in our platform.

I wonder how they will identify CEF vs Chromium and could I do to stop this thing from happening.
riku
Techie
 
Posts: 17
Joined: Mon Feb 18, 2019 4:42 am

Re: Google says they will be blocking sign-ins from CEF

Postby amaitland » Tue Apr 23, 2019 4:57 am

It's not a complete block, you'll still be able to login via OAuth.

With time and effort I think it is likely you could workaround the security restrictions, I think it's better if we as a community accept that we are forced to use OAuth. The more plotting and scheming people attempt the more likely hasher restrictions will be imposed, just my opinion anyway.

It is unfortunate that a small number of CEF users have drawn unwanted attention from the Google Suite security team.

Whilst the details are vague at the moment, Marshall may have some more insight. It would be nice if Google presented a standard approach for when the request is blocked so it could be managed in a seamless fashion. Perhaps a predictable URL pattern (urls may potentially vary by region), or a set URL and expected error code.

Perhaps some should reach out for some further clarification? Comments are enabled on the blog post.
Maintainer of the CefSharp project.
amaitland
Virtuoso
 
Posts: 1290
Joined: Wed Jan 14, 2015 2:35 am

Re: Google says they will be blocking sign-ins from CEF

Postby riku » Tue Apr 23, 2019 6:43 am

I'm not using CEF as an automation framework, I use it as a normal touch-enabled web browser for normal users who will log in to their own emails and whatnot by browsing to a website and writing their usernames and passwords normally.

So for my pretty normal use case it sounds like a complete block.
riku
Techie
 
Posts: 17
Joined: Mon Feb 18, 2019 4:42 am

Re: Google says they will be blocking sign-ins from CEF

Postby magreenblatt » Tue Apr 23, 2019 11:38 am

I've started a discussion about this at https://groups.google.com/a/chromium.or ... j1v_cqBgAJ. We're waiting for the Google sign-in team to provide clarification (after the long holiday weekend).
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: Google says they will be blocking sign-ins from CEF

Postby linuxcef9 » Thu Aug 29, 2019 11:42 am

Running into this issue with latest cef. Any idea what workarounds can be done? This will impact our functionality a lot.
Attachments
Capture.PNG
Capture.PNG (17.27 KiB) Viewed 42992 times
linuxcef9
Expert
 
Posts: 143
Joined: Tue Nov 06, 2018 3:08 pm

Re: Google says they will be blocking sign-ins from CEF

Postby magreenblatt » Thu Aug 29, 2019 11:45 am

You can specify a different User-Agent string. For example, Mozilla works:
Code: Select all
cefclient.exe --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: Google says they will be blocking sign-ins from CEF

Postby linuxcef9 » Thu Aug 29, 2019 11:51 am

magreenblatt wrote:You can specify a different User-Agent string. For example, Mozilla works:
Code: Select all
cefclient.exe --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"


Thanks marshall.

However, changing user agent seems to be a stop-gap solution as it might break some websites which offer different functionality based on User Agent.
Also, google might be checking for more than one vector to detect that it's a CEF so even though it might work few times, there's no guarantee that it will work everytime.

I also don't see any updates from Google auth team in the forum post you started : https://groups.google.com/a/chromium.or ... j1v_cqBgAJ
In one of that post, someone mentioned that websites should implement OAuth login or use PWA but in our use case, the user is just trying to launch google.com and sign-in.

Any advice?
linuxcef9
Expert
 
Posts: 143
Joined: Tue Nov 06, 2018 3:08 pm

Re: Google says they will be blocking sign-ins from CEF

Postby magreenblatt » Thu Aug 29, 2019 11:56 am

Sorry, I have no additional information to add.
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: Google says they will be blocking sign-ins from CEF

Postby linuxcef9 » Thu Aug 29, 2019 11:58 am

magreenblatt wrote:Sorry, I have no additional information to add.


I understand.

Thanks for your work on this project! Hope some resolution comes soon from google auth team.
linuxcef9
Expert
 
Posts: 143
Joined: Tue Nov 06, 2018 3:08 pm

Re: Google says they will be blocking sign-ins from CEF

Postby ndesktop » Fri Aug 30, 2019 6:52 am

I am using - for different reasons - a patched CEF, which overrides user agent on a per request/url basis.
Basically it's a new method in CefRequestHandler:
Code: Select all
class CefRequestHandler : public virtual CefBaseRefCounted {
 public:
  typedef cef_return_value_t ReturnValue;
...
  ///
  // Set user agent *before* CefRequest becomes readonly.
  ///
  virtual bool GetOverrideUserAgent(CefRefPtr<CefBrowser> browser,
                                    CefRefPtr<CefDictionaryValue> request_info,
                                    CefString& overrideUserAgent) { return false; }
};
#endif  // CEF_INCLUDE_CEF_REQUEST_HANDLER_H_

(Can be used also directly CefString url instead of CefRefPtr<CefDictionaryValue> request_info - it's a dictionary for me in case I will need other values).

The implementation is basically:
1. in OnBeforeResourceLoad
Code: Select all
CefRequestHandler::ReturnValue
ClientHandler::OnBeforeResourceLoad(CefRefPtr<CefBrowser> browser,
    CefRefPtr<CefFrame> frame,
    CefRefPtr<CefRequest> request,
    CefRefPtr<CefRequestCallback> callback)
{
...
        //  spoof user agent if necessary
        CefRefPtr<CefDictionaryValue> request_info =
            CefDictionaryValue::Create();
        if(request_info.get()) {
            request_info->SetString(CefString("url"), request->GetURL());
        }
        CefRequest::HeaderMap headers;
        request->GetHeaderMap(headers);
...
        CefString overrideUserAgent;
        if(GetOverrideUserAgent(browser, request_info, overrideUserAgent))
        {
            headers.erase("User-Agent");
            headers.insert(std::make_pair("User-Agent", overrideUserAgent));

            request->SetHeaderMap(headers);
        }
...

and the implementation:
Code: Select all
bool ClientHandler::GetOverrideUserAgent(CefRefPtr<CefBrowser> browser,
    CefRefPtr<CefDictionaryValue> request_info,
    CefString& overrideUserAgent)
{
    CEF_REQUIRE_IO_THREAD();

    do {
        if(request_info.get() == nullptr)
            break;
        if(!request_info->HasKey("url"))
            break;
        CefString url = request_info->GetString("url");

        overrideUserAgent = CallYourInternalImplementationBasedOnUrl(url); // return empty string by default, Firefox user agent for others etc.
        return !overrideUserAgent.empty();
#pragma warning(disable: 4127)
    } while(0);
#pragma warning(default: 4127)
    return false;
}


Then it's a matter of whatever CallYourInternalImplementationBasedOnUrl you need.
For example, if std::string(url).find("https://accounts.google.com/") == 0 ==> return Firefox UA etc.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Next

Return to CEF Discussion

Who is online

Users browsing this forum: No registered users and 4 guests