Can I use Google Auth 2.0 from any origin? - javascript

I develop modal window with React.js, that can be distributed for several sites via some kind of web application market.
So I faced the issue, that for any website, that would install this extension (btw it's builded to a simple html page + couple of js files, so app will be hosted directly on website of even customer), Google auth error will throw exception of invalid origin.
So is there any way to find a workaround for my case?
btw now I'm using react-google-login library

Google allows you to set multiple URIs. Just take a look in the settings.

Related

Issues webview Android application

I make a web application using quasar and java spring boot backend. I convet my web application to an Android application using webview. But when i published in play store, its gives security issue for my backend server url. But i do not collect any data or install anything in Android apps or user device but Google gives an exception in my Android App. How can i fix this issue in Android web-view apps.
This warning is sent by Google Safe Browsing service, which is embedded in the Google Chrome Browser and several other browsers, this service looks for vulnerabilities principally in the markup; for example open tags that could lead to a code injection or other possible threats. The Safe browsing service is independent of the GCP Serverless services, this means that GCP is not marking the site as dangerous.
To prevent this message from appearing, or remove it we can do the following:
Look out for potential vulnerabilities in the app, once the changes have been made, you can use this page to see the Safe Browsing Status.
If you think that there was a mistake, you can request a review to remove the Phishing Warning in this site.
It is highly recommended to take a look a this documentation to understand what could be the reason behind the message
My issue is now fixed. It ended up being a hosting server issue. Google had me on a black list, but now its fixed.

Cannot connect to Youtube Data API V3 with javascript

So I'm building a Phonegap app and I need to access Youtube's Data API. I managed to access the simple API (The one that requires an API key) yet I'm having trouble connecting with OAuth.
I did everything the walkthrough guides told me to do, I have generated a Client ID for Web application from https://console.developers.google.com.
I'm using the auth.js file from their example at the google developers website
The main issue is that every time I try to log in, I get this error:
Refused to display
'https://accounts.google.com/o/oauth2/auth?client_id=' in
a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
I tried clearing my cookies but to no avail.
I run this on localhost with Visual Studio, maybe this has something to do with that?
Ok, so after spending some time on it I finally figured out what the problem was.
On https://console.developers.google.com when I created my OAuth 2.0 client ID there was the "Authorized JavaScript origins" field which I left blank. Since I was running it from my localhost, I added http://localhost:28299 to the list of safe origins and everything worked fine.
Of course this is just for the development phase.

How to get Google Drive API example to run in Phonegap application (support for Android)?

I have successfully been able to use the example provided for the Google Drive API to authenticate and get files & folders of a user's Drive (https://developers.google.com/drive/web/quickstart/quickstart-js).
But I need to convert this example to be able to launch on an Android device using Phonegap. When I run the Phonegap application I get the following error:
Refused to display document because display forbidden by X-Frame-Options.
I have had a look at some answers for dealing with this error for other applications such as including SAMEORIGIN for X-Frame-Options in the meta tag and running the application in the emulator to see if it works but it does not. I have also made sure that the inAppBrowser plugin has been added.
Note, I am using localhost to test the application. I'm not sure if this will cause an issue.
I'm not sure how to solve Google Drive authentication in a Phonegap application.
I'm not sure what your issue is at this point, nor what you are ultimately wanting to do with your app. Consider looking at Filepicker.io as a PhoneGap integration point for Google Drive. Filepicker.io Home Page and the github repo for the plugin

Configure CORS when accessing AWS ELB service using AWS-SDK-JS

I'm working on a ELB monitoring application that I'd like to build with JS and host directly in S3. I have no experience of JS and I'm struggling to get to grips with CORS.
I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.
I have integrated Amazon login (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-configuring-wif.html) with my script and I have attached it to an IAM WebIdentity role.
When I call
elb.describeInstanceHealth(elbRequestParams).on('success', describeInstanceHealthCallback).send();
I get an error in Javascript console
XMLHttpRequest cannot load 'elasticloadbalancing.eu-west-1.amazonaws.com/'. The request was redirected to 'aws.amazon.com/elasticloadbalancing', which is disallowed for cross-origin requests that require preflight.
I can't find any clear documentation that what I'm trying to do won't work, but, I'll admit I'm confused by some of the terms in the documentation and I have no experience of CORS in previous applications to fall back on. I would think the whole JS-SDK for the browser is a bit redundant if the majority of services aren't CORS aware and need to be.
I can get this working by disabling web-security in my Chrome browser, obviously this isn't a good workaround but would indicate to me that CORS is the issue.
Is anyone familiar with this approach, is it a problem that I'm hosting on S3, or, would I have this problem from any server? Should I be configuring my S3 bucket with CORS, or, is it that there's no CORS policy on the 'elasticloadbalancing.eu-west-1.amazonaws.com' endpoint?
Thanks
Andrew
I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.
The referenced page already provides the first clue towards the lack of CORS support for elasticloadbalancing.eu-west-1.amazonaws.com you correctly suspect to be the cause here:
If you are working with the SDK outside of an environment that
enforces CORS in your browser and want access to the full gamut of
services provided by the AWS SDK for JavaScript, it is possible to
build a custom copy of the SDK locally by cloning the repository and
running the same build tools used to generate the default hosted
version of the SDK.
That is, the main reason for the official AWS SDK for JavaScript in the Browser excluding all but the currently 5 services listed in section Supported Services within Working with Services in the Browser is their lack of CORS support:
It is possible to use the SDK with other services if CORS
security checking is disabled in your environment. In this case, you
can build your own custom version of the SDK. See the Building the
SDK section of the guide for more information on how to create a
custom build of the SDK.
Unfortunately neither Amazon EC2 nor Elastic Load Balancing currently offers CORS support, see e.g. this recent Feature Request (CORS support for EC2 service), where the author rightfully reaches the same conclusion as you did already (while also hinting on Node.js to be another major use case, which supports all available AWS services, see Working with Services in Node.js):
From my point of view if AWS is providing a aws-sdk-js library all AWS services supported by this library should support CORS so that the aws-sdk-js iibrary is not just useable in a node.js environment but also in a browser.
While I agree in principle and would have expected faster turnaround times on this myself, AWS is well known for an agile approach to product development, i.e. start early with a small feature set and improve over time based on customer feedback. Notably the SDK is labeled Developer Preview only, i.e. not even BETA yet and I'd hope this to be addressed in the future accordingly - admittedly this is easily overlooked and a more prominent warning might go a long way in sparing users the time to figure out this limitation by themselves.

Simple application to aggregate information from multiple web services in fullscreen

Whats the easiest way to build a simple 'web' application which is a single page, that just refreshes itself (using AJAX or something) to display continuously changing data hosted on various different servers on the internet?
I want to interface with (for example) Twitter, Facebook, Skype, Google Calendar, and any number of other services that have some type of web API.
The application does not need to allow user interaction other than to configure it with the authentication parameters needed to access those services.
It should be able to run full-screen with no UI elements showing, just the pretty information I am displaying.
I started to write an HTML file using Jquery but I am running into "Same Origin Policy" issues. Is there a way around this?
I'd love to just write this in Html/Javascript and run it in Google Chrome, is that possible somehow? I don't know how to get around SOP without hosting my own web server as a proxy to cross the domains.
Is there another alternative that is still pretty easy and simple? I looked into using the Windows Vista Sidebar but apparently you can't have a full-screen gadget.
I figured out that I can use the command line option for chrome:
--disable-web-security
And it will allow me to workaround the same origin policy, and since I am using this for a local application I can put the app in a virtual machine and let it run without too much worry.

Categories

Resources