15

I went to an article on medium.com earlier today, and instead of the annoying full screen popup they usually show to returning visitors, I saw this in the upper right corner:

Google popup

Right there on the medium page they have my name and google email-address! I do not have an account on Medium, nor have I ever done anything but read various articles I received direct links to.

How is medium able to display this popup? I have no memory of telling them who I am, and with all the talk about cross-origin protections this doesn't seem like it should be possible.

I suppose it probably is a popup feature provided by google, but that sounds like it could be easily misused by any site to steal my name and email. I use firefox, so it can't be some crazy chrome feature.

Alice Ryhl
  • 261
  • 2
  • 7
  • Got hit with that this morning, and while I'm sure it's sandboxed, it distracted me for a few minutes while I examined it, then very carefully closed it while making sure I didn't accidentally approve anything. Makes me want to block medium from my google news sources, actually. – Ask About Monica Jun 04 '19 at 20:02
  • [How to disable Google One Tap sign-up prompts?](https://superuser.com/questions/1414410/how-to-disable-google-one-tap-sign-up-prompts) on Super User – pk_ Apr 26 '21 at 05:12

2 Answers2

11

Web developers can integrate Google Sign-In with their website.

Google Sign-In manages the OAuth 2.0 flow and token lifecycle, simplifying your integration with Google APIs. A user always has the option to revoke access to an application at any time.

Websites can access information such as your name or email when you login. There are many ways to customize the login button or popup which is sometimes why it looks integrated to the page, while it is actually being served by Google over HTTPS. This is also why the website is able to show your name, because it is actually served by the Google API. In this specific example, an iframe is used which prevents information being shared with Medium due to the same-origin policy.

Kevin
  • 1,643
  • 9
  • 20
  • 1
    If it is embedded in a webpage then what prevents that site to run a JavaScript which sends what is being displayed on the webpage? – defalt Dec 30 '18 at 05:16
  • Good question @defalt, I don't think you can prevent that. Maybe Google uses a different implementation then I thought of. – Kevin Jan 01 '19 at 17:54
  • 1
    So before I do anything on the site, Google knows that I've visited Medium, and presumably which page. Or am I missing something? – NealeU Mar 12 '19 at 10:39
  • Most websites these days use some sort of Google services (such as Adwords, Analytics etc.) so yes, most of the times you visit any website Google knows about that unless you use some sort of tracking/ad blocker @NealeU – Kevin Mar 13 '19 at 00:03
  • 1
    You ***REALLY*** should have mentioned that it's an iframe. It's not "embedded" in Medium, it's a completely separate web page from a different origin (google.com) that is shown within a corner of Medium's page. Medium.com cannot access the contents of the iframe (or vice-versa) due to the same-origin policy. – CBHacking Jun 05 '19 at 02:34
  • I've added onto the answer with a reference to same-origin policy, however I've linked to a page where this is explained and Stack Exchange is not used to answer single problems but instead is used for a broader explanation which is why it wasn't included. – Kevin Jul 06 '19 at 13:19
11

They do that via an iframe with one of Google's beta features which is currently closed. You can see the iframe in the following screenshot of Medium's website.

Screenshot of Medium's website and Google iframe

However, this does not mean Medium will be able to access your user information. The content inside of the iframe is sandboxed and can only be accessed if Google adds a same origin policy permission permitting Medium's domain to access it. See this Medium article for more information on cross origin policies with iframes.

Justin Massey
  • 111
  • 1
  • 3
  • It seems like Google One Tap is out of beta now. The documentation is [here](https://developers.google.com/identity/one-tap/web/guides/display-google-one-tap). – aiyan Apr 12 '20 at 02:18