Can a published Web App use HTTP instead of HTTPS?
If so, how do you change the settings to make it work properly?
There is no way to do this today. If you access a web app over HTTP it will immediately get redirected to HTTPS. There are no plans to change this as of now but please log an enhancement request here with details - https://code.google.com/p/google-apps-script-issues/issues/list
Related
I am making an ASP.NET application and would like to be able for my file upload to allow attachments to be dragged straight from Gmail. The problem is that I cannot load the data from the links dragged in because of cross-origin rules.
There are 2 problems:
First, cross-origin rules prevent me from making requests to the gmail attachment server.
Second, even if I were to make the request with cross-origin, the cookies would not be included.
I am using Chrome and only interested in doing this on my own computers.
One option is I could make a Chrome extension which allows cross-origin requests but only from my website.
Another option would be for my locally hosted server to communicate with Chrome to make the request itself.
Which of these would be the best option and how would I do it?
We recently started having issues with a web app used internally at our organization. Most users have been using Chrome to access the web app. The issue seems to correspond with the release of Chrome 90. The web app has been in place for a couple of years working with previous versions of Chrome without issue in this regard.
The web app uses an embedded iframe from a 3rd-party vendor. The vendor app does an HTTP GET to a URL within our web app to indicate success or failure. We then close the iframe and update our app accordingly. This has worked fine until recently. Now it seems that the HTTP GET from the vendor iframe is being 302 redirected to our login.
Example of 302 redirect
Prior to this and using MS Edge as the browser, the same HTTP GET gets a 200 response and our web app works as expected.
Example of HTTP 200 response
Since other browsers are continuing to work and there have been no significant changes to the web server, web app, or network access, we suspect something has changed with the latest version of Chrome and perhaps stricter security requirements. Why the 302 redirect? Does this have something with our SameSite cookie config? (Up to this point, we have done nothing specific with regards to SameSite).
We found that with the latest updates to Chrome, we had to set the ASP.Net Session cookie headers to include "SameSite=None; Secure".
This article provided the answer: https://web.dev/samesite-cookie-recipes/
This is for doing OAuth with the Pocket API, it specifically states that using an embedded webview is a violation of the terms of use, all OAuth examples I can find on WP8 seem to rely on the embedded webbrowser to do the authentication.
Is it not possible to use the default browser in WP8 to do the authentication and then redirect back into the App? I have done this in Android before. Thanks.
Well, if you read their documentation, it says that you need to provide a redirect URL. I am not sure if it will work, but you could try adding URI association to your application and specify callback URL that will return back to your app.
Then, when your application is reactivated from the default browser, you should know that the user has authorized it.
Thus you could use WebBrowserTask for that, but I am unaware if you can call local app-URI from browser.
I have a Chrome Packaged App where users login to our App with an email and password and get an Auth Token back from our servers.
We later open a webview with our website in the webview. What would be the best way to auto-login the user into our website inside the webview?
I was thinking we could pass along the Auth token via the URL in the webview, but that probably isn't the most secure method. Are there other ways to pass info to the webview via the Chrome app?
Why is the URL method insecure? Are you concerned about GET vs POST? If so, you should be using HTTPS anyway. The embedder-to-webview part is secure.
Other approaches are to executeScript the token into the webview, or to postmessage it in ether direction.
How are authentication cookies read/stored when using cache-manifest?
I am using cache manifest to speed up a jquery-mobile app that has a browser baseline of Safari Mobile. I am using the multi-page template and within in one of the pages, I make an ajax request to my server for dynamic data.
The issue I am encountering is that when I cache the multi page template(index.html), it technically is not authenticated during subsequent reloads/views and when I make the ajax request, the server is not able to read an expected cookie value to bypass the ACL and thus allow the get request.
Thank you in advance for replies.