search

headzoo / surf

Stateful programmatic web browsing in Go.
MIT License
1.48k stars 159 forks source link

Getting framebuster code on consent page while doing google oauth #93

Open sjnonweb opened 6 years ago

sjnonweb commented 6 years ago

I'm trying to do google Oauth and i can submit Email and Password forms but when the browser navigates to consent page i get framebuster code and the browser is not able to get around that. This is what i get on body:

<noscript>
  <meta http-equiv="refresh" content="0;url=/o/noscript">
</noscript>
<!-- framebuster code starts here -->
<style nonce="mblvj0tjsrS61nO4S0oBmILXhsY">
  plaintext {
    display: none
  }
</style>
<script nonce="mblvj0tjsrS61nO4S0oBmILXhsY">
  (function () {
    try {
      var win = this;
      while ("<plaintext>") {
        if (win.parent == win)
          break;
        eval("win.frameElement.src").substr(0, 1);
        win = win.parent;
      }
      if (win.frameElement != null) throw 'busted';
      document.write("\x3Cxmp style\x3Ddisplay:none\x3E");
    } catch (e) {
      try {
        if (!open(location, '_top'))
          alert('this content cant be framed');
        top.location = location;
      } catch (e) { }
    }
  })();
</script>
<!-- do not remove the plaintext nor xmp tags -->
<plaintext>
  <xmp>.</xmp>
  <!-- framebuster code ends here -->
  <div id="ogb">
    <div id=guser width=100%>
      <nobr>
        <span id=gbn class=gbi></span>
        <span id=gbf class=gbf></span>
        <b class=gb4>personsmail@gmail.com</b> |
        <span id=gbe></span>
        <a target=_blank href="https://myaccount.google.com/?utm_source=OGB" class=gb4>My Account</a> |
        <a target=_top id=gb_71 href="https://accounts.google.com/Logout?continue=https://accounts.google.com/o/oauth2/auth?access_type%3Doffline%26approval_prompt%3Dforce%26"
          class=gb4>Sign out</a>
      </nobr>
    </div>
    <div class=gbh style=left:0></div>
    <div class=gbh style=right:0></div>
  </div>
  <div id="third_party_info_container">
    <div id="third_party_info" class="section_container" data-section="main">
      <div class="column">
        <div class="clear" id="grant_heading">
          <div id="parties_brand"></div>
          <a href="javascript:void(0);" id="developer_info_a" class="third_party_name_wide">
            <span class="goog-flat-menu-button-dropdown goog-inline-block third_party_dropdown"></span>test-oauth2</a> would like to:</div>
        <div id="scope_list">
          <div class="scope_spacer">
            <div class="scope_icon_container">
              <img class="icon" src="/o/static/4184593589-default_scope_icon.png" alt="">
            </div>
            <div class="scope_summary">Have offline access</div>
            <div class="info_icon_container">
              <a href="javascript:void(0);" class="more_info_icon" data-heading="" data-ok="OK">
                <img class="icon" src="/o/static/787932081-icon_info.png" alt="Click for more information">
              </a>
              <div class="more_info_detail">This app still has access to your account when your device is turned off.</div>
            </div>
          </div>
        </div>
      </div>
      <div id="approval_container">
        <div class="column">
          <div id="connect_container" class="modal-dialog-buttons button_container">
            <form id="connect-approve" action="https://accounts.google.com/o/oauth2/approval?"
              method="POST" style="display: inline;">
              <input type="hidden" name="bgresponse" id="bgresponse">
              <input type="hidden" id="_utf8" name="_utf8" value="☃">
              <input id="state_wrapper" type="hidden" name="state_wrapper" value="CnohQ2hSRU4xcHFSbFpqWHpoc2FrcFpVVU5MYkhCblpoSWZjell4UzBOeVltazRNM05YVlU5eFdtbGZRamR0VWkxVlZHRnJiMFpvV1HiiJlBQ1RoWnQ0QUFBQUFXbmpBd1B3QzM3dU51dkpDYzlTaHdjc3EzWkNjUkhPTxIVMTAwNjQ1MzA5NTM4NTE0MTc5OTk2GNjqjZnFvOTIMw">
              <input type="hidden" id="submit_access" name="submit_access" value="">
              <button id="submit_approve_access" type="submit" disabled tabindex="1" class="goog-buttonset-action">Allow</button>
              <button id="submit_deny_access" type="submit" disabled tabindex="2">Deny</button>
            </form>
            <div class="clear"></div>
          </div>
        </div>
      </div>
    </div>
  </div>
  <div style="display:none">
    <div id="developer_info_tooltip_content">
      <br/>Clicking "Allow" will redirect you to:
      <br/>http://localhost:3030/callback</div>
  </div>
  <div id="tooltip_bubble"></div>
  <script type="text/javascript" nonce="mblvj0tjsrS61nO4S0oBmILXhsY">window.onload = lso.dynamicAdjustHeight;</script>
  </body>

  </html>

As you can see its not valid html with all the opening and closing tags so the browser is not able to parse form#connect-approve. Has someone else faced this problem? Is javascript not supported in this browser.