This doesn't seem to happen on Chrome, Firefox, or previous versions of Safari.
I have a sign in with Google button using the Javascript API with ux_mode: 'redirect', and do not have one tap enabled.
Upon redirecting back to my site, I verify g_csrf_token as described in Google's docs: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
The problem is specific to Safari v18 shipped with Sequoia, which as far as I can tell is not sending g_csrf_token with the request.
Notably, when checking the "Storage" tab of the browser, the g_csrf_token can still be found,
Is there some kind of behavioral change with the new Safari I'm not aware of? My setup is pretty basic, but on the other hand I would've expected widespread issues if such a basic behavior was changed, so I'm a bit stumped on what's going on.
Extracted code below:
<div
id="google-button"
data-button-text="<%= button_text %>"
data-client-id="<%= google_oauth_client_id %>"
data-request-url="<%= request_url %>"
>
</div>
window.addEventListener('load', function() {
google.accounts.id.initialize({
client_id: $('#google-button').data('client-id'),
login_uri: $('#google-button').data('request-url'),
ux_mode: 'redirect'
});
google.accounts.id.renderButton(
document.getElementById('google-button'),
{ ... }
);
});
if params[:g_csrf_token].blank? || cookies[:g_csrf_token].blank? || params[:g_csrf_token] != cookies[:g_csrf_token]
head :bad_request
end
