My web app extends a Google Form's functionality by loading it as an iframe, and doing other stuff outside the iframe. If the Google Form requires authentication, Google makes a "Sign In" box appears within the iframe. When a user clicks on the button, a new tab opens, and the user is re-directed to the form in the new tab.
If a user navigates away from my web app, the extra functionality will obviously not work. So, what I am looking for is: to have an authenticated Google Form load as an iframe within my web app.
I can make the user first sign in via Google Sign-In (OAuth) on my web app and then load the iframe. On Chrome and Firefox, the iframe automatically starts with a logged-in session. This is great! But, this solution doesn't work on Safari. Is this related to Safari blocking third-party cookies?
If I want this functionality to work within Safari (and other such browsers), how would I go about doing it? Will I have to use the Storage Access API? If yes, can you broadly tell me how to do it?
For now, I could just ask users to download Firefox/Chrome if they want to use my web app. Most of my users are Chrome users anyway. But, is implementing these privacy measures a part of other browsers' roadmap too? If yes, I may as well try and build a solution that will work in a year or two.
I expect so.
This needs to happen in the iFrame, so Google rather than you need to implement it.
Yes, but not until 2022, so I would hope Google forms will support this by then.
Related
Short:
I need help in SSO in Safari, I'm using iFrame and postMessage logic which is working fine in Chrome and Firefox (PC, Mac, Android and iOS) but the catch is in Safari. I tried Storage Access APIs and placed those in iFrame's onLoading event to check access. But the localStorage which I was used to store JWT is not persistent in the iFrame. I'm using Angular 11.
Scenario:
I'm developing few applications which uses same auth site for sso, which was working as expected as I said in short description. But when it comes to Intelligent Tracking Prevention enabled browsers as of now Safari, It blocks the iFrame by considering it as 3rd Party Trackers which is very insane since the iFrame's origin (Domain) is same with Sub-domain used in service sites.
I tried to check the access by using storage access API i.e hasStorageAccess() in window onLoad method in the iFrame's script. If has no access, I called requestStorageAccess(). I'm here not using user gesture and using button click from service site because I'm using angular for frontend framework but in order to request using button in iFrame.(Since, The policy specifies to get access works only after user interaction which is another headache for devs)
I need help to overcome this issue and fix the SSO with ITP. Any guidance is useful and I'll keep updated.
Google is working fine with their sso and services such as YouTube and Mail doesn't need login on every visit. Any idea on how they achieved.
The reason could be that Safari has the option "Prevent cross-site tracking" enabled by default and that can interfere with the SSO login and display of an embedded iframe (because it blocks some cookies).
Solution
Disable (uncheck) the option for "Prevent cross-site tracking" in the Safari configuration menu.
Tip: To achieve a better user experience, using Javascript you can detect when a user is using Safari and show him an HTML message explaining that he needs to disable that option in order to continue or use another browser like Chrome or Firefox.
I am creating a chat application, where I need to send notifications when the user is not watching my website or working in another application.
Now, most of the use cases can be handled using the page visibility API. But there is a particular use case when the user is switching the application from browser to any other application(ex: Outlook), I want to send a notification at that time.
But the issue here is page visibility API does not provide anything on switching applications. That is if the browser active tab has my website and the user switches the application from browser to any other application, it still thinks the user is looking at my website which is wrong because the user is in anther application right now.
I have done R&D on this and I see it is impossible because browsers can't detect these kinds of changes due to security reasons.
But when I checked with Whatsapp web there, javascript is able to find weather user opened the current application or not and based on that they are sending notifications.
So, How can I implement same feature that Whatsapp guys implemented? Is there any web API I am missing here. Are any hacks available to implement this kind feature?
Thanks in advance.
I have an issue where I'm asking my app to open a browser looking at my Server.
From that server page, The user can perform some stuff on an existing site, then redirects the user to a URL that the App catches and the App continues as normal.
The lifecycle looks like this:
App -> Web Site -> App
However, after the life cycle of the app and the app is closed, the webpage is still open in the browser (on the page where the redirect to the app occurred).
It's apparently difficult via javascript to close a tab which wasn't opened by javascript? (In my case, the tab was opened by the app, not by a different tab). Is there any way to get around this?
(I'm aware I could use a WebView, but WebViews are buggy, manufacturer specific, security holes that I want to avoid)
No, sorry. There is no standard Intent structure for this. While it is possible that some browsers offer something, I am not aware of any that do.
Bear in mind that there is no requirement that your ACTION_VIEW Intent open up a browser tab, as the user's chosen browser may not offer any sort of tab UI metaphor. check this reference old question
Note: I could not think words for this question to search in Google. That's why asking my question. Please bear with me.
I have internet subscription of xyz company and it's login based connection. But what happens is that sometimes login screen reappears and is asking for password. I have already stored user name and password in web page but I have to click on login button to relogin again.
Can I have any script written for this login page that whenever internet connection goes and asks for relogin again, script automatically submit form and get connected with internet?
You're looking for content scripts. There is no cross-browser way to inject code into a web page, but each major browser has a well documented way to do it:
Firefox
Chrome
Internet Explorer
Technically you could also write a script that sniffs HTTP requests using a tool like Wireshark and posts form data whenever it detects the page is displayed, but that doesn't seem like a great solution.
I am facing some issue with Javascript injection on IE9 (>Medium-high security). In my application when user wants to add any web page to their bookmarks, they click a link, and it injects a Javascript into that page, this injected javascript grabs all details about page and redirect users to my site.
On IE9, it does not seems to be working with Medium-high security. I suspect this has to do something how IE9 handles cross-site javascript injection. But, was not able to find any relevant information.
Can someone please help or guide me to some related information.
Thanks
You may find this TechNet post useful, especially the row "Allow scripting of Internet Explorer Web browser control".
Apparently Internet Explorer doesn't allow scripts to control the web browser except on Medium-Low and Low security levels. Because of this, you won't be able to redirect the browser unless it's set to one of those two levels.
Perhaps instead of redirecting them you could add some kind of notification to the DOM and give them a link to your website?