by mitchc » Fri Jun 19, 2020 11:08 am
First, this is not a gmail only item. This is an entire Google ecosystem decision. You are locked out of all Google properties that use Google sign in, all 3rd party websites that use Google sign in to authenticate, and all 3rd party applications that may use Google sign in. This includes many business facing enterprise applications like Google adwords, youtube business accounts, Google analytics, Google webmaster tools, etc. This effects a massive portion of the internet traffic and properties available that any user of your 3rd party browser is completely locked out of by Google.
It is clear that Google is happy to wield its monopolistic control over a significant portion of the internet that goes to Google properties, to dictate which browsers consumers are allowed to use and lock out competition. If you do not use one of their approved technologies in your competitive product your users cannot even do basic actions like sign into their email. How large is that effect? Google controls over 12% of internet traffic and 30% of internet connections per sandvine, and the top internet properties, that also does not include 3rd party websites that use Google auth.
The official recommendation of using "oAuth" is a joke, as it is in no way a solution for any real browser. Even if you complete a valid oAuth authentication through using a browser that Google currently has arbitrarily deemed acceptable for doing so it does not help. That oAuth authentication token cannot be used for logging in as a browser to any of those Google properties, it can only be used for making select API calls and in no way works in a normal browser setting. The other recommendation of "using a progressive web app" also only works if that app is run in one of the select browsers Google has deemed appropriate, and again is not really a valid solution for any actual 3rd party browser.
The lsb-escalations email is an internal only Google address, so cannot be emailed by 3rd parties. A Google employee can email them on your behalf, however it will not help. After over 9 months of arbitrarily slow replies from the Google Switzerland product manager (taking weeks to months on average to get replies) Googles mission is clear. Despite initial claims that any full system browser should work and that they are doing "everything we can do ensure genuine browsers don't get blocked", it is quite the opposite.
As of this week their official position is that "general guidance would be to either build a "full" browser - or to use oauth/ a system browser for the Google login. ... We don't intend to support Google sign-in for consumer accounts in CEF.". By use oauth or a system browser really they mean do _not_ use your browser at all, as even after the login is complete it is unusable. By "build a "full" browser" they really mean build a full system browser using the technology that Google has currently decided is OK for their ecosystem, and has no reflection on what the application itself does.
They are happy to announce however "We are working on more detailed guidance for CEF developers.", the same thing they said over 9 months ago, and the same thing that has yet to be produced.
Today (well really over 9 months ago) Google deemed one of its technologies was not acceptable to be used by browsers, who knows what browser technology will be banned tomorrow. Given Googles vast control on the internet, and ability to disable any browser of their choosing instantly from being able to access all properties, there may be no safe options.
Google has a long history of repeatedly "accidentally" breaking, degrading, or slowing other major browsers like Microsoft Edge and Firefox (or entire platforms like Windows Phone) on their most popular properties, this is one of the reasons that Microsoft switched to a browser based on Google technology to end the cat and mouse game. Little did they know that even Google tech may not be safe...