2

Our app allows users to login through Facebook. The page creates a popup which is redirected to FB login page (https://lm.facebook.com/l.php?u=https%3A%2F%2Fm.facebook.com%2Fdialog%2Fconsent%2Fcomplete% ..., with header Cross-Origin-Opener-Policy: same-origin-allow-popups;report-to="coop_report". At this point the window.opener reference is valid and points to original window. On desktop and iPhone the login then completes, redirects back to our page, with window.opener reference still valid.

However on Android (Chrome) when the popup redirects to our page it does so with window.opener set to null. Meantime the only redirects are: https://m.facebook.com/dialog/consent/complete/ with Cross-Origin-Opener-Policy: unsafe-none;report-to="coop_report" header and then back to our page without any COOP header.

There is one apperent difference - on Android a dialogue is shown that is not triggered on iPhone or desktop: "You previously logged in to ****** identity with Facebook. Would you like to continue?" On this dialogue the window still has the opener reference, and after it the above mentioned requests are fired.

I am not sure where exactly was the opener reference lost, or how can I prevent that, and why does it only happen with Android login process. I have found nothing in the Facebook documentation so far, and it seems to me that this could be a bug rather than a feature - however I still need to overcome it somehow.

Improve this question
6
  • Which Android browser? According to MDN, Cross-Origin-Opener-Policy has no support in Opera on Android yet. (And not in Android Webviews either, but I'm guessing you are not using those here?) Commented Feb 29, 2024 at 11:45
  • "The page creates a popup which is redirected to FB login page" - is your own coding creating this popup - or are you using the JS SDK, and its Fb.login() method? Commented Feb 29, 2024 at 11:45
  • @CBroe I have been testing on Chrome (and also desktop Chrome with fake user-agent). We are not using JS SDK, the popup is created by our app. Commented Feb 29, 2024 at 11:52
  • Your"FB login page" URL there, is really rather weird. First of all, https://lm.facebook.com/l.php is Facebook's own "link shim" - its purpose is to redirect elsewhere, usually used by Facebook itself, for external links. And why the redirection target then is https://m.facebook.com/dialog/consent/complete/, I also don't understand - [...] Commented Feb 29, 2024 at 12:15
  • [...] the usual way of invoking the login dialog, is via https://www.facebook.com/vXX.Y/dialog/oauth. I'm guessing Facebook realize that we are not in a "/dialog/consent/complete/ state" here, and automatically redirect to the actual login dialog URL ... but it really doesn't make much sense to have so many redirects involved to begin with. Commented Feb 29, 2024 at 12:15
Related questions
1790
How does Facebook disable the browser's integrated Developer Tools?
1
"window.opener" becomes null after redirecting back to the main page from Facebook OAuth on Android browsers
1
Popup loaded with "Cross-Origin-Opener-Policy: same-origin-allow-popups" in it (not its opener)
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.