[dleslie]

This has nothing to do with security and everything to do with banning tools like youtube-dl, wget and others; from the post:

> The browser must identify itself clearly in the User-Agent. The browser must not try to impersonate another browser like Chrome or Firefox.

> The browser must not provide automation features. This includes scripts that automate keystrokes or clicks, especially to perform automatic sign-ins.

Edit:

I feel like mentioning youtube-dl was a mistake. It's not just about youtube-dl.

This policy bars the use of all text-based browsers, headless browsers, browsers without javascript, and browsers with automation when accessing Google's services. It bans browsers that contain Node.js, even.

[npsimons]

> The browser must identify itself clearly in the User-Agent.

I wonder what they'd think of my proxy which I have setup to (among other privacy respecting features) rewrite the User-Agent to "By allowing me access, you waive all rights and policies regarding my access." This is basically my form of EULA.

> The browser must not provide automation features.

LOL. This was obviously written by some tech illiterate law type, perhaps a first year law student? I fear to think what incompetent engineer working at google of all places would have come up with that verbiage . . .

[MereInterest]

Yeah, the browser itself is an automation feature. It automates the downloading of a file over HTTP, downloading of any dependent resources, managing of caches, and rendering of the result. That these are so frequently done that this automated pipeline is referred to as "a browser" doesn't mean that this isn't an extremely automated system.

[delroth]

> To protect our users from these types of attacks Google Account sign-ins from all embedded frameworks will be blocked starting on January 4, 2021.

(emphasis mine)

So I don't follow how this would have anything to do with banning youtube-dl, which doesn't require login? And as the blog post mentions, you can still bootstrap auth through a normal web browser, and pass the auth token to your command line / less secure browser / ... app.

(Disclaimer: I work at Google, not on anything related to this blog post or to your hypothetical scenario.)

[dleslie]

Passing oauth tokens into automation tools is a common use case in order to automate the retrieval of account-restricted content.

[duskwuff]

Which would still be fine. The only thing that'd be blocked is obtaining those OAuth tokens by passing your Google username/password to a browser automation tool.

[dleslie]

Which would break some common authentication options in ytdl:

https://github.com/ytdl-org/youtube-dl#authentication-option...

[worik]

It is not the whole world attacking ytdl - but Google, definitely.

Evil by default?

[seniorivn]

when you delete "don't be evil" tagline, you become evil by default

[tester756]

Let's dont act as if the whole world was trying to fight against ytdl.

[dleslie]

It's not just about ytdl; this policy will ban all headless browsers, text-based browsers, and browsers with automation tools.

[salawat]

So they're breaking mountains of automated test and scripting tools? Nice to know.

>Headless browsers locked out (thanks for nreaking test automation) >Node.js (riiight) >Text-based browsers (Going aft Lynx? Of all things?) >JavaScript MUST be enabled

Totally not a power grab here folks. Totally not a company known to value reaping user data in any form possible up to any kind of user hostile behavior, or exercising undue influence over the character of the Net.

Nope, no siree, Bob. Moving riiiight along.

[dmoy]

What does that have to do with youtube-dl? (Sorry it's been like 5 years since I used it, I don't remember that being required)

[dleslie]

It allows one to download private videos that your account can access.

[joshspankit]

Such as:

- I have a script that downloads my liked videos (in case they get deleted, which I’ve found out happens a fair bit)

- I also have a script to download my watch later videos (for sync to devices without YouTube Premium/Red/whatever)

[mattl]

Would you share those scripts?

[dmoy]

So the theory is this has nothing to do with security, but is only used to break private video downloading of youtube-dl?

[dleslie]

It blocks misrepresentation of agent, in general; automation is also blocked in general, but _especially_ for authentication.

[mulmen]

There's an ocean between required and useful.

[detaro]

How does youtube-dl obtain the token today?

[dleslie]

https://github.com/ytdl-org/youtube-dl#authentication-option...

Username, Password, 2FA, etc.

[detaro]

And you claim that doing more to stop people from giving their google account password to "random apps" (I personally trust youtube-dl a lot too, but "random apps" is what it comes down to) and forcing those apps to use OAuth to obtain scoped tokens has "nothing to do with security"?

[pjc50]

Security for whom? Locking the user out of the software they want to use is not improving security for them.

[dleslie]

If that were all that they were doing I might agree; but they are blocking browser identity misrepresentation and automation, as well; it also requires that all "browsers" have a complete implementation of web standards.

It explicitly blocks "headless" browsers.

> You must confirm that your browser does not contain any of the following:

> Headless browsers

> Node.js

> Text-based browsers

[9HZZRfNlpR]

Definetly not on the right side of the history. With all the social changes and uprises we see one would expect you to do better.

[userbinator]

It has everything to do with security: securing Google's control.

Google wants to take over the Internet. We should not let it use these "less secure" excuses to sway the public opinion.

[samuelroth]

Google’s control...over the security of Google accounts?

If you are worried enough about Google’s dominance over the Internet to be upset by this particular practice, it is unlikely you have (or should maintain) a Google account.

I’m not a “Google stan” by any means, but to say that they want to take over the Internet is just not true.

[dvfjsdhgfv]

> to say that they want to take over the Internet is just not true.

I don't know if they "want", but they already do have control over various aspects of the Internet, especially of the web, but also DNS and email.

[ForHackernews]

Google wants to dictate what user-agent you can use to access their sites: that's pretty controlling!

Can you imagine if Fox announced that only approved televisions could show their content?

[throwaway09223]

"The browser must not provide automation features."

It would be interesting to see this examined in the context of accessibility requirements created by the ADA.

[InfiniteRand]

This is kind-of funny requirement given the history of user-agent strings being incredibly convoluted.

I mean Chrome doesn't clearly identify itself as Chrome, it still identifies itself as Apple Webkit

[trickstra]

Also given Google's history of sending corrupted version of pages to Firefox useragents.

https://www.reddit.com/r/firefox/comments/7whdv4/googlecom_i... https://androidforums.com/threads/problems-with-firefox-user... https://www.ghacks.net/2018/07/25/google-making-youtube-slow... ... and many more

[worldmerge]

Well I guess my unofficial YouTube chat bot won't work anymore. The YouTube API is awful compared to the Twitch one for bot creation so it is easier to get the functionality you want using Selenium.

[izacus]

Why not? This restriction was added on Android years ago and it basically means that you retrieve the OAuth2 token with a normal browser and then send it to your automaton script/app.

It blocks auth to prevent phishing, not actual access.

[scrollaway]

If you'd bothered to read a little more before knee-jerking a reaction comment, you'd know this is only for the authentication flow.

[pjc50]

And? What if I want to automate my login flow?

[izacus]

You'll need to find another provider which doesn't care that much about preventing phishing attacks. Google accounts are a big target so it makes sense you move away from the masses.

[pjc50]

In practice it just means faking the user-agent and other fingerprinting more enthusiastically. I'm not sure how google can win that without resorting to the same anti-cheat measures as games companies.

[jlokier]

You'll try, but the first time you won't know what fingerprinting tests they are going to do. After a few iterations you'll succeed, but it will be obvious to Google that the account you've just been testing it on belongs to someone trying to break their auth restrictions...

Good luck keeping your account!

[dleslie]

I did read that; did you know that passing oauth tokens into such automation tools is commonplace?

[ath0]

OAuth tokens used in automation tools will continue to work. Entering in username & password through auth, to automate an OAuth flow (or any other traditionally manual flow) will stop working. Breaks some puppeteer scripts too - but those have been getting flaky for a while now.

[dleslie]

Thus making it even more cumbersome for users; now they simply login, in the future they'll have to know how to get the oauth token.

[detaro]

It's OAuth. The application can launch a normal browser for the OAuth flow and have the user complete it.

[bxk1]

For plenty of applications the whole purpose is not to run "a normal browser" and possibly not even have it installed.

[joshspankit]

And, OAuth tokens can be revoked meaning scripts will just suddenly fail.

[scrollaway]

What's your point? Passwords can change and sessions can get invalidated, which all has the same effect.

[austincheney]

> The browser must not provide automation features. This includes scripts that automate keystrokes or clicks, especially to perform automatic sign-ins.

If a web developer knows what they are doing they are using the standard web APIs supplied by the browser in an efficient way, designed to be invisible to accessibility for accessibility test automation, and thus this control from Google is largely unenforceable. As such I believe this is just a block against incompetent forms of automation that probably shouldn't be there in the first place.

[DevKoala]

Pretty much. It also helps their ad business to combat fraud.

[imglorp]

This is probably the only case that actually affects them. There's really no argument for security here.

[kevindong]

The announcement specifically says this:

> ...Google Account sign-ins from all embedded frameworks will be blocked starting on January 4, 2021

It says nothing about non-login related actions.

[pvg]

The whole premise is a mistake, not the mention of youtube-dl. This policy doesn't ban the the things you claim it does. It is not 'everything to do with banning wget'. It's just a strange and mistaken conclusion you arrived at, seemingly by very selective reading.

[u801e]

> his has nothing to do with security and everything to do with banning tools like youtube-dl, wget and others

Exactly. What's insecure about an application that can establish a secure connection using an accepted version of TLS and cipher?

[mrjin]

Google has went rouge for quite a while. AMP was another example of the same nature.

[suifbwish]

Has anyone thought of just not using Google? By using them you give them power in your life

[nojito]

It's to stop scraping of Google Data.

There is currently millions -> hundreds of millions being made by scraping Google content.

[ForHackernews]

Kind of hypocritical given that Google's entire business is founded on scraping the rest of the internet.