Menu
Google announced that they "will no longer allow OAuth requests to Google in embedded browsers known as 'web-views'".
In Android, requests from WebViews get a header HTTP_X_REQUESTED_WITH which is set to the package name of the application. Although this can be overridden, so it would be possible to hide to the server that we are making request using a WebView. I don't know any other default way to make this.
Is there a way to detect, server side ― and no matter what the client does, that a request is from a Android WebView. How is this done by Google?
479
It appears they were quite sneaky in hiding this, but you can check if the window has a property named "Android " (with a space at the end). This appears to be true only when being used as a WebView inside an app, and not in Chrome on the same device.
No, Chrome for Android is separate from WebView. They're both based on the same code, including a common JavaScript engine and rendering engine.
You can use any of them as per your usability. Have you read the reviews of Android System Webview on Google Play Store? Yes, the reviews are quite funny and sarcastic.
Not answering your question directly (sorry), but regarding the deprecation of WebView for OAuth that you referenced: even if you find a way to avoid the WebView being detected during an OAuth flow, doing so may run contrary the Google API Services: User Data Policy, in particular the section "Do not mislead Google about an application's operating environment". So I wouldn't recommend that.
Typically using Custom Tabs for OAuth (such as via AppAuth for Android) results in a better user experiance anyway, as the user will likely already be signed-in to Google allowing them to review your request without needing to sign-in again. It's also more a more secure experiance. That's the goal of the migration – a more secure, more usable OAuth experiance for end-users :-)
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
