Google OAuth gapi.auth.authorize X-Frame-Options: 同源
Google OAuth gapi.auth.authorize X-Frame-Options: SAMEORIGIN
大约 2 周前开始,一些客户开始遇到阻止他们使用 Google 服务进行身份验证的问题。到目前为止,我遇到的所有实例似乎都在 non-gmail 域中。问题似乎是(请参阅下面的差异部分)来自 gapi.auth.authorize 的 https://accounts.google.com/o/oauth2/auth 请求正在为这些特定客户端返回带有 'X-Frame-Options: SAMEORIGIN' header 的响应。我无法在本地重现此问题,但收到了失败请求的 HAR。
同样的身份验证方法适用于各种其他客户端,包括其他托管域(非@gmail 帐户)。
对可能导致此请求失败的原因有任何想法吗?要调查的其他事项或其他信息?
在开发者控制台中 https://www.moo.do 是一个有效的 Javascript 来源。
最终在用户控制台显示的错误:
X-Frame-Options 拒绝加载:https://accounts.google.com/o/oauth2/auth?不允许 cross-origin 框架。
相似之处
- 这两个请求在授权时都使用immediate=true。当使用 immediate=false(导致请求通过帐户选择器弹出窗口)时,失败帐户成功地为请求提供服务。
差异
- 在对失败帐户的响应中有一个 X-Frame-Options header。
- 在对失败帐户的响应中,response.content.size 字段为 0。此外,response._transferSize 为 0,并且存在一个 response._error 字段(它是空的)。
- 在失败帐户的响应中,scopes 参数被编码为“[scope]+[scope]+[scope]”,这已被弃用。 [编辑:收到另一个使用正确 non-deprecated space 分隔范围但仍然失败的 HAR]
下面是成功和失败的请求。我不知道为什么失败的请求会返回额外的 header。一些信息已被删除 ([REMOVED]) 或编辑 (XXXX/YYYY)。
请求成功
{
"startedDateTime": "2016-03-03T15:52:27.625Z",
"time": 84.7660000436008,
"request": {
"method": "GET",
"url": "https://accounts.google.com/o/oauth2/auth?client_id=597847337936.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&immediate=true&login_hint=YYYYY%40YYYY.com&authuser=-1&include_granted_scopes=true&proxy=oauth2relay593501023&redirect_uri=postmessage&origin=https%3A%2F%2Fwww.moo.do&response_type=token&state=867674703%7C0.1520984533&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.d1w1l2mcNcs.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCMuer-UxvQzEv7JYzkFSQh2Kou7xA",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "accept-encoding",
"value": "gzip, deflate, sdch"
},
{
"name": "accept-language",
"value": "en-US,en;q=0.8"
},
{
"name": "upgrade-insecure-requests",
"value": "1"
},
{
"name": "user-agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36"
},
{
"name": "accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
},
{
"name": "cache-control",
"value": "no-cache"
},
{
"name": ":authority",
"value": "accounts.google.com"
},
{
"name": "cookie",
"value": [REMOVED]
},
{
"name": ":scheme",
"value": "https"
},
{
"name": "x-chrome-connected",
"value": "id=108229145437218213687,mode=0,enable_account_consistency=false"
},
{
"name": "referer",
"value": "https://www.moo.do/app/"
},
{
"name": "x-client-data",
"value": "CKO2yQEIwbbJAQj9lcoB"
},
{
"name": ":method",
"value": "GET"
}
],
"queryString": [
{
"name": "client_id",
"value": "597847337936.apps.googleusercontent.com"
},
{
"name": "scope",
"value": "https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive"
},
{
"name": "immediate",
"value": "true"
},
{
"name": "login_hint",
"value": "YYYYY%40YYYY.com"
},
{
"name": "authuser",
"value": "-1"
},
{
"name": "include_granted_scopes",
"value": "true"
},
{
"name": "proxy",
"value": "oauth2relay593501023"
},
{
"name": "redirect_uri",
"value": "postmessage"
},
{
"name": "origin",
"value": "https%3A%2F%2Fwww.moo.do"
},
{
"name": "response_type",
"value": "token"
},
{
"name": "state",
"value": "867674703%7C0.1520984533"
},
{
"name": "jsh",
"value": "m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.d1w1l2mcMcs.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCMuer-UxvQzEv7JYzkFSQh2Kou7xA"
}
],
"cookies": [
{
"name": "LSOLH",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SMSV",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "RMME",
"value": "false",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "ACCOUNT_CHOOSER",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GALX",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GoogleAccountsLocale_session",
"value": "en",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "expor",
"value": "3100077",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GMAIL_RTT",
"value": "151",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "S",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "LSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "HSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "APISID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SAPISID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GAPS",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "LSOLH",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "OGPC",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "NID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
}
],
"headersSize": -1,
"bodySize": 0
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "date",
"value": "Thu, 03 Mar 2016 15:52:27 GMT"
},
{
"name": "content-encoding",
"value": "gzip"
},
{
"name": "x-content-type-options",
"value": "nosniff"
},
{
"name": "server",
"value": "GSE"
},
{
"name": "content-language",
"value": "en"
},
{
"name": "status",
"value": "200"
},
{
"name": "cache-control",
"value": "no-cache, no-store, max-age=0, must-revalidate"
},
{
"name": "content-type",
"value": "text/html; charset=UTF-8"
},
{
"name": "alt-svc",
"value": "quic=\":443\"; ma=2592000; v=\"30,29,28,27,26,25\""
},
{
"name": "alternate-protocol",
"value": "443:quic,p=1"
},
{
"name": "x-xss-protection",
"value": "1; mode=block"
},
{
"name": "expires",
"value": "Fri, 01 Jan 1990 00:00:00 GMT"
}
],
"cookies": [],
"content": {
"size": 2096,
"mimeType": "text/html"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 1051
},
"cache": {},
"timings": {
"blocked": 1.07300002127886,
"dns": -1,
"connect": -1,
"send": 0.39199995808303,
"wait": 81.3200001139194,
"receive": 1.9809999503195002,
"ssl": -1
},
"connection": "2025013",
"pageref": "page_1"
}
请求失败
{
"startedDateTime": "2016-03-03T10:12:35.752Z",
"time": 442.6579999853857,
"request": {
"method": "GET",
"url": "https://accounts.google.com/o/oauth2/auth?client_id=597847337936.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly&immediate=true&login_hint=XXXXX%40XXXX.com&authuser=-1&include_granted_scopes=true&proxy=oauth2relay235542267&redirect_uri=postmessage&origin=https%3A%2F%2Fwww.moo.do&response_type=token&state=638324187%7C0.1211244794&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.de.7pJmZpTVQp8.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmU_zLoubGrUI-_ZI9ZhB7rGP1Sw",
"httpVersion": "unknown",
"headers": [
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
},
{
"name": "Referer",
"value": "https://www.moo.do/app/"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
}
],
"queryString": [
{
"name": "client_id",
"value": "597847337936.apps.googleusercontent.com"
},
{
"name": "scope",
"value": "https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly"
},
{
"name": "immediate",
"value": "true"
},
{
"name": "login_hint",
"value": "XXXXX%40XXXX.com"
},
{
"name": "authuser",
"value": "-1"
},
{
"name": "include_granted_scopes",
"value": "true"
},
{
"name": "proxy",
"value": "oauth2relay235542267"
},
{
"name": "redirect_uri",
"value": "postmessage"
},
{
"name": "origin",
"value": "https%3A%2F%2Fwww.moo.do"
},
{
"name": "response_type",
"value": "token"
},
{
"name": "state",
"value": "638324187%7C0.1211244794"
},
{
"name": "jsh",
"value": "m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.de.7pJmZpTVQp8.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmU_zLoubGrUI-_ZI9ZhB7rGP1Sw"
}
],
"cookies": [],
"headersSize": -1,
"bodySize": 0
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "date",
"value": "Thu, 03 Mar 2016 10:12:35 GMT"
},
{
"name": "content-encoding",
"value": "gzip"
},
{
"name": "x-content-type-options",
"value": "nosniff"
},
{
"name": "server",
"value": "GSE"
},
{
"name": "x-frame-options",
"value": "SAMEORIGIN"
},
{
"name": "content-language",
"value": "de"
},
{
"name": "status",
"value": "200"
},
{
"name": "cache-control",
"value": "no-cache, no-store, max-age=0, must-revalidate"
},
{
"name": "content-type",
"value": "text/html; charset=UTF-8"
},
{
"name": "alt-svc",
"value": "quic=\":443\"; ma=2592000; v=\"30,29,28,27,26,25\""
},
{
"name": "alternate-protocol",
"value": "443:quic,p=1"
},
{
"name": "x-xss-protection",
"value": "1; mode=block"
},
{
"name": "expires",
"value": "Fri, 01 Jan 1990 00:00:00 GMT"
}
],
"cookies": [],
"content": {
"size": 0,
"mimeType": "text/html"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 0,
"_error": ""
},
"cache": {},
"timings": {
"blocked": 0.944999977946281,
"dns": -1,
"connect": -1,
"send": 0.3190000134054589,
"wait": 151.53400000417625,
"receive": 289.85999998985767,
"ssl": -1
},
"pageref": "page_1"
}
太棒了。
Problem/Cause
如果应用请求超过 7 个 OAuth 范围,Google 授权服务器将 'X-Frame-Options: SAMEORIGIN' header 附加到托管域帐户(Google 应用)。小于 7(范围是什么无关紧要)并且同一帐户上的同一请求没有 return 调用中指定的 X-Frame-Options header。
需要额外的移动部件才能实现此重现(必须从 GAPI JS 客户端提供 jsh 参数)以及 X-Frame-Options header 为 [=63= 的其他场景]编辑。然而,此时重现文件显示 Google 授权服务器似乎存在问题。
抱怨:)
由于 X-Frame-Options header 的性质,client-side 错误检测将不知道请求已被阻止,这使得此特定错误成为一个更大的问题。此外,授权回调将永远不会收到任何类型的失败通知,使请求应用处于等待任何类型通知的状态。
问题演示
包含两个重现文件:
auth_repro.html - 这完全回避了 GAPI JS 客户端并演示了问题。它确实使用客户端附加到授权请求的特定参数 (jsh) 来解决问题。
auth_repro_gapi.html - 这使用 GAPI JS 客户端重现问题。
解决方案
不要对您正在请求的 trimming/managing 范围偷懒,否则您的授权请求将开始默默地失败。
如果没有这种行为就好了。最好的猜测是这是一项安全措施出了问题?
大约 2 周前开始,一些客户开始遇到阻止他们使用 Google 服务进行身份验证的问题。到目前为止,我遇到的所有实例似乎都在 non-gmail 域中。问题似乎是(请参阅下面的差异部分)来自 gapi.auth.authorize 的 https://accounts.google.com/o/oauth2/auth 请求正在为这些特定客户端返回带有 'X-Frame-Options: SAMEORIGIN' header 的响应。我无法在本地重现此问题,但收到了失败请求的 HAR。
同样的身份验证方法适用于各种其他客户端,包括其他托管域(非@gmail 帐户)。
对可能导致此请求失败的原因有任何想法吗?要调查的其他事项或其他信息?
在开发者控制台中 https://www.moo.do 是一个有效的 Javascript 来源。
最终在用户控制台显示的错误: X-Frame-Options 拒绝加载:https://accounts.google.com/o/oauth2/auth?不允许 cross-origin 框架。
相似之处
- 这两个请求在授权时都使用immediate=true。当使用 immediate=false(导致请求通过帐户选择器弹出窗口)时,失败帐户成功地为请求提供服务。
差异
- 在对失败帐户的响应中有一个 X-Frame-Options header。
- 在对失败帐户的响应中,response.content.size 字段为 0。此外,response._transferSize 为 0,并且存在一个 response._error 字段(它是空的)。
- 在失败帐户的响应中,scopes 参数被编码为“[scope]+[scope]+[scope]”,这已被弃用。 [编辑:收到另一个使用正确 non-deprecated space 分隔范围但仍然失败的 HAR]
下面是成功和失败的请求。我不知道为什么失败的请求会返回额外的 header。一些信息已被删除 ([REMOVED]) 或编辑 (XXXX/YYYY)。
请求成功
{
"startedDateTime": "2016-03-03T15:52:27.625Z",
"time": 84.7660000436008,
"request": {
"method": "GET",
"url": "https://accounts.google.com/o/oauth2/auth?client_id=597847337936.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&immediate=true&login_hint=YYYYY%40YYYY.com&authuser=-1&include_granted_scopes=true&proxy=oauth2relay593501023&redirect_uri=postmessage&origin=https%3A%2F%2Fwww.moo.do&response_type=token&state=867674703%7C0.1520984533&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.d1w1l2mcNcs.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCMuer-UxvQzEv7JYzkFSQh2Kou7xA",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "accept-encoding",
"value": "gzip, deflate, sdch"
},
{
"name": "accept-language",
"value": "en-US,en;q=0.8"
},
{
"name": "upgrade-insecure-requests",
"value": "1"
},
{
"name": "user-agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36"
},
{
"name": "accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
},
{
"name": "cache-control",
"value": "no-cache"
},
{
"name": ":authority",
"value": "accounts.google.com"
},
{
"name": "cookie",
"value": [REMOVED]
},
{
"name": ":scheme",
"value": "https"
},
{
"name": "x-chrome-connected",
"value": "id=108229145437218213687,mode=0,enable_account_consistency=false"
},
{
"name": "referer",
"value": "https://www.moo.do/app/"
},
{
"name": "x-client-data",
"value": "CKO2yQEIwbbJAQj9lcoB"
},
{
"name": ":method",
"value": "GET"
}
],
"queryString": [
{
"name": "client_id",
"value": "597847337936.apps.googleusercontent.com"
},
{
"name": "scope",
"value": "https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive"
},
{
"name": "immediate",
"value": "true"
},
{
"name": "login_hint",
"value": "YYYYY%40YYYY.com"
},
{
"name": "authuser",
"value": "-1"
},
{
"name": "include_granted_scopes",
"value": "true"
},
{
"name": "proxy",
"value": "oauth2relay593501023"
},
{
"name": "redirect_uri",
"value": "postmessage"
},
{
"name": "origin",
"value": "https%3A%2F%2Fwww.moo.do"
},
{
"name": "response_type",
"value": "token"
},
{
"name": "state",
"value": "867674703%7C0.1520984533"
},
{
"name": "jsh",
"value": "m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.d1w1l2mcMcs.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCMuer-UxvQzEv7JYzkFSQh2Kou7xA"
}
],
"cookies": [
{
"name": "LSOLH",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SMSV",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "RMME",
"value": "false",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "ACCOUNT_CHOOSER",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GALX",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GoogleAccountsLocale_session",
"value": "en",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "expor",
"value": "3100077",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GMAIL_RTT",
"value": "151",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "S",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "LSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "HSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SSID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "APISID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SAPISID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "GAPS",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "LSOLH",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "OGPC",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "NID",
"value": [REMOVED],
"expires": null,
"httpOnly": false,
"secure": false
}
],
"headersSize": -1,
"bodySize": 0
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "date",
"value": "Thu, 03 Mar 2016 15:52:27 GMT"
},
{
"name": "content-encoding",
"value": "gzip"
},
{
"name": "x-content-type-options",
"value": "nosniff"
},
{
"name": "server",
"value": "GSE"
},
{
"name": "content-language",
"value": "en"
},
{
"name": "status",
"value": "200"
},
{
"name": "cache-control",
"value": "no-cache, no-store, max-age=0, must-revalidate"
},
{
"name": "content-type",
"value": "text/html; charset=UTF-8"
},
{
"name": "alt-svc",
"value": "quic=\":443\"; ma=2592000; v=\"30,29,28,27,26,25\""
},
{
"name": "alternate-protocol",
"value": "443:quic,p=1"
},
{
"name": "x-xss-protection",
"value": "1; mode=block"
},
{
"name": "expires",
"value": "Fri, 01 Jan 1990 00:00:00 GMT"
}
],
"cookies": [],
"content": {
"size": 2096,
"mimeType": "text/html"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 1051
},
"cache": {},
"timings": {
"blocked": 1.07300002127886,
"dns": -1,
"connect": -1,
"send": 0.39199995808303,
"wait": 81.3200001139194,
"receive": 1.9809999503195002,
"ssl": -1
},
"connection": "2025013",
"pageref": "page_1"
}
请求失败
{
"startedDateTime": "2016-03-03T10:12:35.752Z",
"time": 442.6579999853857,
"request": {
"method": "GET",
"url": "https://accounts.google.com/o/oauth2/auth?client_id=597847337936.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly&immediate=true&login_hint=XXXXX%40XXXX.com&authuser=-1&include_granted_scopes=true&proxy=oauth2relay235542267&redirect_uri=postmessage&origin=https%3A%2F%2Fwww.moo.do&response_type=token&state=638324187%7C0.1211244794&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.de.7pJmZpTVQp8.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmU_zLoubGrUI-_ZI9ZhB7rGP1Sw",
"httpVersion": "unknown",
"headers": [
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
},
{
"name": "Referer",
"value": "https://www.moo.do/app/"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
}
],
"queryString": [
{
"name": "client_id",
"value": "597847337936.apps.googleusercontent.com"
},
{
"name": "scope",
"value": "https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.appdata+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly"
},
{
"name": "immediate",
"value": "true"
},
{
"name": "login_hint",
"value": "XXXXX%40XXXX.com"
},
{
"name": "authuser",
"value": "-1"
},
{
"name": "include_granted_scopes",
"value": "true"
},
{
"name": "proxy",
"value": "oauth2relay235542267"
},
{
"name": "redirect_uri",
"value": "postmessage"
},
{
"name": "origin",
"value": "https%3A%2F%2Fwww.moo.do"
},
{
"name": "response_type",
"value": "token"
},
{
"name": "state",
"value": "638324187%7C0.1211244794"
},
{
"name": "jsh",
"value": "m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.de.7pJmZpTVQp8.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmU_zLoubGrUI-_ZI9ZhB7rGP1Sw"
}
],
"cookies": [],
"headersSize": -1,
"bodySize": 0
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "unknown",
"headers": [
{
"name": "pragma",
"value": "no-cache"
},
{
"name": "date",
"value": "Thu, 03 Mar 2016 10:12:35 GMT"
},
{
"name": "content-encoding",
"value": "gzip"
},
{
"name": "x-content-type-options",
"value": "nosniff"
},
{
"name": "server",
"value": "GSE"
},
{
"name": "x-frame-options",
"value": "SAMEORIGIN"
},
{
"name": "content-language",
"value": "de"
},
{
"name": "status",
"value": "200"
},
{
"name": "cache-control",
"value": "no-cache, no-store, max-age=0, must-revalidate"
},
{
"name": "content-type",
"value": "text/html; charset=UTF-8"
},
{
"name": "alt-svc",
"value": "quic=\":443\"; ma=2592000; v=\"30,29,28,27,26,25\""
},
{
"name": "alternate-protocol",
"value": "443:quic,p=1"
},
{
"name": "x-xss-protection",
"value": "1; mode=block"
},
{
"name": "expires",
"value": "Fri, 01 Jan 1990 00:00:00 GMT"
}
],
"cookies": [],
"content": {
"size": 0,
"mimeType": "text/html"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 0,
"_error": ""
},
"cache": {},
"timings": {
"blocked": 0.944999977946281,
"dns": -1,
"connect": -1,
"send": 0.3190000134054589,
"wait": 151.53400000417625,
"receive": 289.85999998985767,
"ssl": -1
},
"pageref": "page_1"
}
太棒了。
Problem/Cause
如果应用请求超过 7 个 OAuth 范围,Google 授权服务器将 'X-Frame-Options: SAMEORIGIN' header 附加到托管域帐户(Google 应用)。小于 7(范围是什么无关紧要)并且同一帐户上的同一请求没有 return 调用中指定的 X-Frame-Options header。
需要额外的移动部件才能实现此重现(必须从 GAPI JS 客户端提供 jsh 参数)以及 X-Frame-Options header 为 [=63= 的其他场景]编辑。然而,此时重现文件显示 Google 授权服务器似乎存在问题。
抱怨:)
由于 X-Frame-Options header 的性质,client-side 错误检测将不知道请求已被阻止,这使得此特定错误成为一个更大的问题。此外,授权回调将永远不会收到任何类型的失败通知,使请求应用处于等待任何类型通知的状态。
问题演示
包含两个重现文件:
auth_repro.html - 这完全回避了 GAPI JS 客户端并演示了问题。它确实使用客户端附加到授权请求的特定参数 (jsh) 来解决问题。
auth_repro_gapi.html - 这使用 GAPI JS 客户端重现问题。
解决方案
不要对您正在请求的 trimming/managing 范围偷懒,否则您的授权请求将开始默默地失败。
如果没有这种行为就好了。最好的猜测是这是一项安全措施出了问题?