4 replies to this topic

[Dar]

My OAuth method uses a custom URL protocol for the callback and launches the default web browser.

That works fine on OS X (Safari and Firefox) and on Windows with Firefox. However, it hangs with Internet Explorer.

It hangs waiting for data from this:

https://sandbox.evernote.com/Login.action?targetUrl=%2FOAuth.action%3Foauth_token%3D...

(where the ellipsis is the token)

That is not the authentication URL that my code launches. That seems to be some translation of it.

Since it works otherwise I suspect the page generated by Evernote for IE has a bug or IE has some weird behavior and I need to set some registry entries.

I welcome advice.

(I think I have seen another failure on IE only just before the callback, but if that is still there, it is blocked by this. Maybe I saved a password or something to create the block.)

[Dar]

The above is on XP using IE8.

I get a different response on Windows 7 using IE9.

Here I am able to get through authentication but then IE fails. It displays a page that says "The webpage cannot be displayed." Also: "Some content or files on this webpage require a program you don't have installed." A link is labeled "Search online for a program you can use to view this web content" but it passes "https" as the protocol it cannot handle.

I typed in a dummy callback using IE and that seems to work. My custom protocol seems to work. At least in that context.

I retyped "https" in all of my source code.

I welcome advice on what might be causing this and on how I can get better information out of IE.

[Dar]

In the second situation (IE9) I found the developer tools in the tools (gear) menu. From there I found the network tab. I was able to capture the redirect page. It includes these items for headers?

response
HTTP/1.1 302 Moved Temporarily

X-FRAME-OPTIONS
SAMEORIGIN

Location
x-darz-app://auth.login.com/OauthLibrary?oauth_token=...

The length of the location is about 240 characters. The exact protocol is experimental as I test the OAuth code.

I can take the location value and navigate to it directly and it works. The problem seems to be with the redirect.

At this point I'm wondering if IE thinks there is something immoral about the redirect.

[Dar]

I have searched online and found that many have found that IE chokes on a redirect to a custom protocol. (Perhaps this is a sloppy response to a vulnerability.)

One person noted that using http-equiv="refresh" works where a redirect does not.

[Dar]

I apologize for mixing two IE problems in the same topic.

I think the first one on XP with IE8 has gone away. I can't seem to duplicate that.

The second is a concern. I'd like to be able to use a custom protocol for the callback, but I'm ready to use http://127.0.0.1:9999/oauth if I must.