Google如何检测来自WebView的请求? [英] How can Google detect a request is from a WebView?

问题描述

Google宣布他们 将不再允许在称为网络视图"的嵌入式浏览器中向Google发出OAuth请求. .

Google announced that they "will no longer allow OAuth requests to Google in embedded browsers known as 'web-views'".

在Android中，来自WebView的请求将获得标头HTTP_X_REQUESTED_WITH，该标头设置为应用程序的程序包名称.尽管可以重写此方法，但是可以使用WebView将服务器隐藏到我们发出的请求中.我不知道使用其他任何默认方法.

In Android, requests from WebViews get a header HTTP_X_REQUESTED_WITH which is set to the package name of the application. Although this can be overridden, so it would be possible to hide to the server that we are making request using a WebView. I don't know any other default way to make this.

有没有一种方法可以在服务器端进行检测，无论客户端做什么，该请求都是来自Android WebView的. Google如何做到这一点?

Is there a way to detect, server side ― and no matter what the client does, that a request is from a Android WebView. How is this done by Google?

推荐答案

不是直接回答您的问题(对不起)，而是关于您引用的OAuth弃用WebView:即使您找到一种避免检测到WebView的方法在OAuth流程中，这样做可能会违反 Google API服务:用户数据政策 ，尤其是请勿误导Google有关应用程序的操作环境"部分.所以我不建议这样做.

Not answering your question directly (sorry), but regarding the deprecation of WebView for OAuth that you referenced: even if you find a way to avoid the WebView being detected during an OAuth flow, doing so may run contrary the Google API Services: User Data Policy, in particular the section "Do not mislead Google about an application's operating environment". So I wouldn't recommend that.

通常使用自定义"标签进行OAuth(例如通过适用于Android的AppAuth )可带来更好的用户体验，因为该用户可能已经登录到Google，从而使他们可以查看您的请求而无需再次登录.这也是更安全的体验.这就是迁移的目标-为最终用户提供更安全，更可用的OAuth体验:-)

Typically using Custom Tabs for OAuth (such as via AppAuth for Android) results in a better user experiance anyway, as the user will likely already be signed-in to Google allowing them to review your request without needing to sign-in again. It's also more a more secure experiance. That's the goal of the migration – a more secure, more usable OAuth experiance for end-users :-)

这篇关于Google如何检测来自WebView的请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！