While debugging why my extension doesn't work in Safari (but does for other browsers), noticed that I can send an arbitrary made up HTTP header with XmlHttpRequest in a Safari toolbar extension. But try to do same with header named "Cookie" with same content as before, it doesn't get sent.
So does Safari restrict sending back cookies with requests or you need to follow an alternate process to do so? Seems kind of lame since this blocks functionality of apps that require session state persistence for example. If there's an alternate process, Apple made it harder to maintain session state in extensions (extra work in adapting a web app or other browser extension).
I tested using Safari 5.1.7 on Mac OS X 10.7.5 with Charles proxy.
Just figured I should post the solution that worked for me, that I commented in my own question earlier, for easier viewing by others with similar problem:
Turns out for Safari extension, what works for me is to set the browser to not block any cookies and website data. So users would have to do that to use the extension. No code changes needed. But that's not cool though.
The particular step is Safari > Preferences > Privacy > Cookies and website data: Always allow (at least under Safari 10 on Mac OS Yosemite). Although one could try "Allow from websites I visit" to see if that more restrictive option will work or not.
Related
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
I am looking for a way to fill basic authorization popup in Safari 13 in automated session. I want to log in to website which require such login. Solution can be even manual. Is there any way to do that?
List of solution which I tried:
Fill form manually. Issue: Safari 13 blocks any interaction with automated browser. As far as I know there is no way to do it and then continue with automated session.
Use selenium to fill the form. Issue: Safari does not support such feature.
Use http://login:password#site.com. Issue: Safari 13 does not support such feature.
Add authorization header using proxy. Issue: Some sites does not work the same with proxy. I tried browsermob-proxy and mitmproxy but site did not works the same as without proxy.
Add authorization header using proxy and then refresh page without proxy. Issue: Header is not saved in browser. Authorization is required after refresh.
Use ApplyScript or other to fill the form. Issue: Safari 13 blocks any interaction with automated browser.
Safari extension with authorization header. Issue: as far as I know safari extension does not support any headers modification.
Use Keychain access. Issue: It can not be used in automated session.
Based on a few GitHub issues, I'm not sure if this is possible to achieve given all of the workarounds you have already tried.
This issue is detailing the Safari basic auth issue, closed as out-of-scope for Selenium:
https://github.com/SeleniumHQ/selenium/issues/5610
Which a Selenium developer then links to a still-open, larger-scope issue, in the WebDriver spec repository:
https://github.com/w3c/webdriver/issues/385
It seems like the basic auth support you are looking to achieve needs to be implemented by W3C contributors, not by Selenium developers.
All of the solutions you have mentioned trying seem to be the only available workarounds out there, and without a supported Selenium solution or fully-functioning workaround, this issue may not be solvable.
I was going back and forth with Spotify Cares Twitter for over four days. Finally they directed me here, so I hope one of the devs from Spotify will answer.
I am trying to put Spotify Play Button on the website. I was following the instructions from the documentation. Then I also found on the Spotify blog, that some details had changed in July 2018. So I have tried this code as well.
Whatever I did, the Play Button embed player plays only preview (30 seconds) when accessing website in the Chrome (version 68 and 69).
The code is simple and straight taken from the documentation/blog:
<iframe src="https://open.spotify.com/embed?uri=spotify:album:1DFixLWuPkv3KT3TnV35m3" width="300" height="380" frameborder="0" allowtransparency="true" allow="encrypted-media"></iframe>
This code I have put into the empty HTML, so completely no other code interfering. You can check it in the example on Codepen.
I have tried to isolate the issue and here's what I have found:
In Chrome it never works: neither when I am logged into Spotify nor when I am not and log in with the button that shows up in the player
In Chrome with/without SSL - in both cases it didn't work
In Firefox it works properly. When I log into Spotify on the browser, go to the page, it plays full tracks
Also asked my friends to go to the page with this code and - being logged into Spotify - it didn't work for them as well
The play button works properly in the examples on blog and documentation of Spotify - which is in their domain, so it is the same domain as the iframe content - this is a hint I think.
I have checked also recent changes in Chrome, but only one concerning iframe was adding allow on microphone and camera. Even using this one didn't help (but this should not be related actually).
I have also checked on recent Safari / MacOS - the issue is there as well (but not on Firefox/MacOS)
What can be the reason for the issue? How to solve this? Or maybe Spotify devs team need to fix it?
So the answer is quite obvious if you know where to look.
Under chrome://settings/content/cookies Google Chrome has this option Block third-party cookies. I had it enabled and that was the cause of the issue.
But why I didn't think of it before? It's because Google Chrome in such case adds to all non-white-listed (see below) sites a cookie icon with red X to the right side of the Address Bar. When one clicks it, it shows two options:
Always allow [url of the site] site to save cookies
Keep blocking the cookies
And since I had the first one selected it looked good to me back then.
But this option is not the same as "allow use of the third-party cookies", which is not available in the popup options window.
In fact to allow sites to use cookies from Spotify, you have to either:
Disable the option Block third-party cookies in the Chrome Settings in general
or add [*.]spotify.com to your white-list (I recommend this one)
And that way, any site can access spotify.com cookies to check if user is logged in to properly play music (full tracks or just previews).
And one final note: the site with the embed play button code must be accessed with SSL, so via https.
I didn't check how to change that for Safari on MacOS, but probably the solution is similar to this one.
I have created a custom App URL for my iOS app. The URL format is similar to this:
myappname://texttobeparsed
This works fine when I paste the URL in safari, My App opens and correctly handles the URL. The problem is that other apps such as iMessage or Notes do not recognize this as a URL.
Why isn't this URL scheme being recognized as a URL? Could it have to do with how I set it up in my info.plist file or something else?
Or, does the URL need to be in a different format to be recognized?
I know it's possible to have the system recognize it as a URL in apps other than web-browsers because I've seen it before with other apps (ex. iTunes: itms://itunes.com/apps/appname or Twitter: twitter:// or Facebook: fb://).
There's nothing you can do about this. If the link isn't explicit (e.g. in an HTML email), these apps can just recognize a built-in set of standard URL schemes. itms:// is one of Apple's own schemes (for the iTunes Store), so it makes sense that it is supported in addition to the standard mailto://, http://, tel://... schemes.
Edit: I would guess that the information that is used to determine what constitutes a valid URL in text views etc. is cached somehow. Contrary to what I initially guessed, it seems that app-specific URLs do work in Notes, etc. I've tested this with tweetbot:// for example (which I have installed) and twitter:// (which I don't have installed) to verify that it doesn't just check for a pattern like *://, but actually uses information about the installed apps.
I'd suggest that you try to restart your device. If it's an issue with some cache, that might help and I don't think there's much else you could do if your URL scheme already works in Safari.
Update: I've installed the official Twitter app to test this, the twitter:// scheme wasn't immediately recognized in Notes, but after killing and restarting the Notes app, it worked.
Update 2: I've done a minimal test app with myappname:// as a custom URL scheme. Again, like with the Twitter app, it worked after restarting the Notes app, so it doesn't seem related to the popularity of the app or whether it's been submitted or not.
I can't answer as to why it's not working (beyond guessing that the link interpreter is hard-coded to only recognize certain URL schemes), but I can say that the typical way around this is to link to a web page, and have the web page redirect to your custom scheme.
It's slightly less elegant, because the user will see Safari open up briefly before being forwarded to your app, but it's also more robust because the web page can provide a link to the app store to install the app if it is not installed on the user's phone.
My implementation of Facebook Connect (just a simple login button, fb:login-button) works perfectly on Firefox and IE.
But the same button is not showing up in Safari/Chrome (Webkit).
Here's what's ironic. In my debugging effort, I saved the page (that contains fb:login-button) up as a static page and then load it in Safari. And the button shows up, everything works!
The exact same page (with the exact same HTML source) rendered by my PHP has no way for bringing up the button.
I'm trying hard to support Webkit here but I'm close to giving up. Can anybody help?
I found one more way this can occur (the blame-myself-for-being-stupid way); it's probably not common, but in the event is saves anyone else the hassle, here it is:
This symptom can also be caused by various security tools blocking facebook resources.
In my case, I'd installed Facebook Disconnect ages ago in Chrome as a plugin and forgotten all about it being installed. I also had a second installation of Chrome that was seemingly identical (but did not have Facebook Disconnect). The first would properly load the fb:login-button, and the other would not; took me ages before I looked at the plugins, because Facebook Disconnect didn't have an icon and so its presence was pretty easy for me to miss.
Here's what you'll see if some sort of security plugin is preventing facebook resources from loading. Just look at the html that renders in the browser using developer tools.
In a normal chrome session you'll end up with something like this:
<fb:login-button><a class="fb_button fb_button_medium"><span class="fb_button_text">Your text here</span></a></fb:login-button>
But in the version with facebook's resources disabled you'll end up with this:
<fb:login-button>Your text here</fb:login-button>
Like I said, pretty obvious in retrospect.
Had the same problem but it was not related to anything like a plugin or malformed content. It seems if you enable country filtering on your facebook page it has an issue with the like button, this should be fairly obvious. Facebook gets your location from your profile and not your IP address.
Make sure to disable country locking if you plan on using the social plugins.
This can be due to having ClickToFlash installed. Either disable it, or check "Automatically load invisible Flash views" in the ClickToFlash settings.
What we found out is that Safari (and maybe some older versions of Chrome or other WebKIT browsers) have a problem with Facebook's code using the innerHTML JS function if your page arrives with an XHTML response header (application/xhtml+xml).
Using text/html solves the issue.
In case of JSF2, which we use, the implementing the fix was as simple as wrapping the FB button like this:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook.com/2008/fbml"
xmlns:f="http://java.sun.com/jsf/core">
...
<f:view contentType="text/html">
<fb:login-button>Login using Facebook</fb:login-button>
</f:view>
Facebook bug report here:
http://bugs.developers.facebook.net/show_bug.cgi?id=5545
I had this problem with the Facebook button not showing at all and it took me forever to figure out what it was. Luckily after days of hair pulling I will now share the answer with everyone. In my situation I simply didn't have xfbml enabled. In my FB.init I had it set to false:
FB.init({
appId : 'app_id', // App ID
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : false, // parse XFBML
oauth : true // enable OAuth 2.0
});
I changed this to "true" (xfbml) and the login buttons works great now! :P Good luck!
This happened when I had the wrong domain in callback_url in config/facebooker.yml. Apparently it uses that to load the js files.
I had the same problem but I resolved it by making sure the URL in my app settings was exactly the same as the one for my site (i.e. it didn't work when I accessed my site without the www.).
I have tried every suggested solution here and it didn't work for me. But now I finally found the solution.
Facebook requires now a secured (https) for Canvas (Secure Canvas URL). The unsecured one will be deprecated soon.
Here is the main difference, Chrome doesn't like https connections with invalid certifications. On a localhost, it is very likely you have stunnel installed to allow https connection for the localhost. Firefox is ok with the self created SSL certificate and allows you to add an exception when trying to access that site. Chrome doesn't allow it out of the box.
When I load my app in Chrome the page is blank and I dont see any login button.
Click F12 and click the Netwrok tab in Chrome:
You see that the post request to your localhost is cancelled. DOUBLE Click on it.
Now you would see that chrome is blocking the localhost because of the certificate:
click on proceed anyway.
Now to back to your other tab and reload the page:
Chrome works now like Firefox and shows the login button.