Tag Archives: Chrome

Turn on snippets for additional context surrounding data loss prevention rule violations

What’s changing 

Admins can now view “Sensitive Content Snippets” for data loss prevention (DLP) rules. This applies to DLP events for Drive, Chat, and Chrome. When turned on, snippets will log the matched content that triggered a DLP violation in the security investigation tool. Admins can use the information captured in the snippet to better identify actual security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Getting started

  • Admins: 
    • Make sure any admins who need to review the snippets have the "view sensitive content" privilege. Only super admins have the ability to hide or unhide sensitive data.

    • This feature will be OFF by default and can be turned on in the Admin console by going to Security > Data Protection > Data Protection Settings > Sensitive Content Storage.
      • To view snippets in the security investigation tool, select any row from the “Description column” and scroll down to “Sensitive Content Snippets”. Here you’ll see the matched detector ID, the matched content starting character, and the matched content length.

    • Visit the Help Center to learn more about viewing content snippets that trigger DLP rules, using Workspace DLP to prevent data loss, and the security investigation tool.

  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available to Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus, and Enterprise Essentials Plus customers
  • Also available to Cloud Identity Premium and BeyondCorp Enterprise customers

Resources

Navigate to Chrome Browser management faster in the Admin console

What’s changing

In the Admin console, we’ve added a dedicated category for Chrome Browser admin capabilities in the left-hand navigation menu. Previously, you would have to go to Devices > Chrome > Managed browsers as a Chrome Browser admin — this makes navigating to these specific pages faster. From here, you’ll be able to take actions such as configuring and enforcing Chrome policies, view reports on Chrome browsers in your organization, and more. For even more convenient access, you can pin this link to the top of your navigation bar.




Getting started

Admins: 

  • This update will be automatically available. 
  • Customers can sign-up for ChromeOS and Chrome Browser Management and use Admin Console to manage their devices/browsers.


Rollout pace


Availability

  • Available to all Chrome Browser Cloud Management and Google Workspace customers 


Resources


Improving user safety in OAuth flows through new OAuth Custom URI scheme restrictions

Posted by Vikrant Rana, Product Manager

OAuth 2.0 Custom URI schemes are known to be vulnerable to app impersonation attacks. As part of Google’s continuous commitment to user safety and finding ways to make it safer to use third-party applications that access Google user data, we will be restricting the use of custom URI scheme methods. They’ll be disallowed for new Chrome extensions and will no longer be supported for Android apps by default.

Disallowing Custom URI scheme redirect method for new Chrome Extensions

To protect users from malicious actors who might impersonate Chrome extensions and steal their credentials, we no longer allow new extensions to use OAuth custom URI scheme methods. Instead, implement OAuth using Chrome Identity API, a more secure way to deliver OAuth 2.0 response to your app.

What do developers need to do?

New Chrome extensions will be required to use the Chrome Identity API method for authorization. While existing OAuth client configurations are not affected by this change, we strongly encourage you to migrate them to the Chrome Identity API method. In the future, we may disallow Custom URI scheme methods and require all extensions to use the Chrome Identity API method.

Disabling Custom URI scheme redirect method for Android clients by default

By default, new Android apps will no longer be allowed to use Custom URI schemes to make authorization requests. Instead, consider using Google Identity Services for Android SDK to deliver the OAuth 2.0 response directly to your app.

What do developers need to do?

We strongly recommend switching existing apps to use the Google Identity Services for Android SDK. If you're creating a new app and the recommended alternative doesn’t work for your needs, you can enable the Custom URI scheme method for your app in the “Advanced Settings” section of the client configuration page on the Google API Console.

User-facing error message

Users may see an “invalid request” error message if they try to use an app that is making unauthorized requests using the Custom URI scheme method. They can learn more about this error by clicking on the "Learn more" link in the error message.

Image of user facing error message
User-facing error example

Developer-facing error message

Developers will be able to see additional error information when testing user flows for their applications. They can get more information about the error by clicking on the “see error details” link, including its root cause and links to instructions on how to resolve the error.

Image of developer facing error message
Developer-facing error example

Related content