..I'm trying to get PIMA online, so I can access it from my phone. I have it working with Dropbox — more-or-less. Now I need it to work with Gmail, since I like to import starred gmails as todo items.

..I'm planning to use a Google Script for this.

note: here's where to create a google script: https://script.google.com

..ok, now I'm not sure how my page hosted on github.io is going to access to the script.. even if google scripts support CORS, which I'm guessing they don't, the script is going to need to ask the user to authenticate with google anyway, so it sort of needs to be displayed as a webpage..

..I suppose I could create an iframe with it, and the iframe should be able to reach "up" in the DOM, giving the results to my page.. let's see if that works..

note: command to run local web server: http-server -p 5000

ugg.. X-Frame-Options: DENY


..thoughts from the porcelain thinking throne:

  • I could open a new page which could automatically redirect back to the original page with the email information in the url.. though this might cause a very long url.. how long of urls are google scripts happy to send, and github.io pages happy to receive?
  • I could have the google script itself authorize with dropbox, and put the information into dropbox, and then redirect back to the original page.. the problem is that dropbox apps require me to enter the urls that they work on, and I'm not sure what to put for a google script, since the entry point is one url, but then once it is authorized, it seems to redirect somewhere else..
..wait, maybe the X-Frame-Options:DENY is just for the login page when the user needs to authenticate!.. nope..

hm.. JSONP requests work, so long as the user has already authenticated the script, so hopefully I can figure out a way to detect that.. also, JSONP has the issue that malicious webpages could run it — not that PIMA is popular enough that it would ever happen, but in principle, it would be nice to know people couldn't trick me into letting them see some of my e-mails..

..oh, I could redirect to google scripts and redirect back every time, just in case authentication hasn't happened yet, and if it has, it shouldn't waste too much time.. assuming I can't figure out how to detect whether authentication happened, since I'm not sure how to detect whether a SCRIPT tag has loaded it's script. Maybe there's a method for that? Hm.. it's not immediately clear from StackOverflow.

..hm.. do google scripts put the requesting domain in the doGet(request)? Looks like no..

..ok, an ugly solution, I redirect to the google script and have it redirect back, but only redirect back to a whitelist of places, and have it send a temporary token back.. hm.. let's see how easy it is to make a temporary token..

..oh good, there's a UserProperties https://developers.google.com/apps-script/reference/properties/user-properties thing, so each user can have their own token..

well.. it's ugly, but simple enough I suppose, let's give it a try..

hm.. it seems like req.parameter.auth is not allowed, like a reserved word..

arg, it seems like my redirect is not working.. but why? I feel like it's not spitting out the html that I requested.. as if it has some "filler" html around it.. hm.. it does have some extra html that I didn't request.. it also said something about a "sandbox", and I could see weird grey rectangles on the side which make me think that some mysterious "cruft" is happening.. I want it to spit out exactly what I say!!

humph, I tried <script>window.location = 'http://where-I-want-to-go'</script>, and I get "Caja does not currently support assigning to .location".. so they're using Caja to "sanitize" my HTML.. who are the protecting here? Me, from myself?

..someone suggested popping up this window, and after it authenticates, calling "close". Let's give it a try..

..and now "ignoring window.close(…). ". Great. So secure. And what is this "Sandbox mode: EMULATED". Why am I in a sandbox? I don't understand!!

..I can't find any settings related to sandboxes.. maybe it's done with code.. ahh: setSandboxMode(HtmlService.SandboxMode.NATIVE) .. let's give it a try.. nope.. still "ignores" it. Maybe it's because it's in a tab?.. nope..

..ok, what if we create a <form action="http://go-here"/> and call submit on that.. hm.. didn't seem to work.. I wonder if it will even let the user submit the form.. nope! it adds onsubmit="return false" to the form.. can I even let the user click a link? nope.. oh, wait, I used "src" instead of "href".. ok, I can click it manually, but clicking it programmatically doesn't seem to work "Object [object Object] has no method 'click' ".

hum.. hum..

..what if I load the target webpage in an iframe, and then have the iframe "bust out" to be the main window.. nope.. iframes are not supported..

ugg.. so much wasted time trying to do something that should be simple, but has been made deliberate obtuse by someone in the name of "security"..

ok, hacking the redirect seems hard — it seems like google doesn't want to allow redirects — so how about we try checking to see if the ajax call is succeeding. We could wait a certain amount of time, but it could actually take a while to grab the e-mails, so maybe we could make a special API that just returns right away, and put a timer on that.. and even if it does return after the timer, it will just mean that the user is sent away to go authenticate when they didn't really need to, and hopefully that will be rare..

oh shoot, I forgot, I need the authentication page thing so it can set a token, and hand it back to github.io, to protect against malicious jsonp use.. arggggg!!

ok, maybe I can save the token in a cookie, or localStorage, and use the new special API to verify that the token is correct..

hum de dum.. ok, I think this strategy will work-ish.. now we just need to incrementally add a few things on the pima side and the google script side until it grabs emails the way I want..

No comments:

Post a Comment