Disabling Google login inheritance by browser
-
I've started using Vivaldi within the past few months after being on Firefox for, well, forever. I have two Google accounts that I stay logged into - one is a general Gmail account that I stay logged into for Youtube Premium and the other is a Google Workspaces account that I stay logged into for email/calendar. The Workspaces account is self-managed (my own domain, totally personal and I am the admin). In Firefox, when I added an extension, I had no trouble from my Google logins because Firefoxs Add-on store doesn't interact with Google.
However, because Vivaldi is Chromium-based, when I open the Chrome Web Store to install an extension, it serves a page for "Service Not Allowed" because the Workspaces " account is managed by an organization that has this service turned off for its users". If I manually switch over to my Gmail account it takes me to the Web Store page I was trying to reach.
Granted, I don't install extensions very often, but I don't use browser profiles (never have) and I don't like how Chromium is allowed to hijack an account login and treats the browser like it's managed by that account.
Is there a way, perhaps in the advanced config:: settings, to block this behavior? Or some other solution that I would give me the same outcome?
Thanks!
-
@ryanpage said in Disabling Google login inheritance by browser:
account is managed by an organization
Meant normally the browser in managed by policies.
Openchrome://policyto check this.
I don't understand what this Google Workspace account is but I cant login to two different Google accounts at the same time. -
When I say logged in with a Google account, I mean just in a page in the browser, like Gmail - not using a Google account as a Chrome browser profile. You can have more than one Google account logged in at a time within the browser. If you click on the profile icon for the Google account in the upper right corner of a Google page, it will open a modal window that shows all of the Google accounts you're currently logged in with and you can select a different account for that page.
What I'm concerned about is that I see the Extensions as being a function of the browser, not of whichever Google account happens to have cookies in the browser session. The Chrome Web Store would allow me to install extensions if no Google accounts were logged in. That's basically how I want anything in the browser to work - with a Chinese wall between web page activity and browser management.
I checked chrome://policy but it doesn't show any active (and I haven't set any at the browser level so that seems correct). I just don't want it sneakily asking a web page I'm logged into for permission to do anything.
-
@ryanpage
I test before I write here.
I am logged in to my Prime Light YT account, if I open a new page google.com or Gmail I am logged in to the same account.
If I use the modal window to change to my second account the YT page change to the second account, too.
I guess you meant this:
Anyway, I test a lot and install extensions often, doesn't matter if I logged in to a Google account or not.
I hope another user can help here.Cheers, mib
-
Thanks, yes that is the modal that I was talking about to switch accounts. You're logging in with a Gmail account there, which is just a regular Google account. My gmail account doesn't cause problems with the Web Store, just the Google Workspaces. The browser is treating the Workspaces login as if suddenly my browser was managed by an IT department who can set admin policies on me as a user. If I "choose a different account" from the "Service is not Allowed" screen and pick the Gmail account, it takes me to the Chrome Store page I want to go to.
When I go to the Vivaldi menu and select Extensions, it opens a Vivaldi browser page vivaldi:extensions where all of my installed extensions show up. This is good.
But if I want to add an extension, I click "Discover more extensions and themes on the Chrome Web Store" and instead of a browser settings page I get redirected to a Google Workspaces site that is applying Workspaces policies:
I expect that Google intends this behavior in Chrome, but to me this is like a privilege escalation attack. I'm not installing an extension to my Workspaces account, which is the only thing that Workspaces should be able to manage. I'm just hoping that there is some setting that I can enforce that protects my browser from a site I'm logged into.
-
@ryanpage This is something you will need to talk to Google about.
A few years ago the Chromium team (that is, Google) changed the API used to manage logins to Google Mail and Calendar so that we could no longer use a separate cookie jar for the Mail and Calendar as we had before (which some users had been confused by), and the login is now the same as for the general browser profile. (Multiple accounts can be used for Google Accounts as you already know.)
Regarding what actual account is used for specific Google sites will depend on whether Google actually permits that by some kind of UI, and whether they actually gives certain kinds of accounts an override capability when multiple accounts are used.
The only way to keep two Google accounts separate in Vivaldi and general Chromium (e.g. Chrome) is to use separate profiles where each is logged into separate accounts, never mixing. In Vivaldi it is also possible to use a standalone install to completely separate the profiles (which is what I do for several of my sessions).
-
@yngve Thanks, that's disappointing but I know the Vivaldi team is dependent on what Chromium allows. I'll have to experiment with some better ways to keep my mail/calendar account sandboxed from my normal browsing, or just see if there's a way to force the Chrome Webstore to load without my using my accounts being logged in elsewhere.
-
@ryanpage I suspect that Google intentionally gave Workspaces accounts like the one you are using override priority in cases like the extension store.
They probably did this because they consider the extension store to be a possible security problem (malware extensions), which could be a serious problem in a corporate environment (where a workspaces account would like be used in most cases).
My guess is that the only way to avoid the problem is to either use separate profiles, or (in case of a company managed Workspaces account) only use it on the work PC (and not use the other account on those, which is never a good idea anyway regarding company owned machines).
You might look to see if there is a settings in the account.
-
@ryanpage It's not really "Google login inheritance" or Google deciding anything about how Vivaldi works.
It's just that you're signed in to several Google accounts (which is possible) and you have cookies telling Google that you are. And these cookies are shared.
Vivaldi (and not any other Chromium browser) does not have "containers" like Firefox and so the only solution to this is to use a separate profile to keep data/cookies separate.
Quite possibly you'd be able to install an extension in a clean profile - before signing in to your Google Workspace account - and then the extension will still be installed after signing in. No idea how this works, never tested.
-
Thanks Yngve and Pathduck, agreed this is an issue with Google, not Vivaldi. It's a weird design decision to let Workspaces admins override a browser UI activity since you can just log out of your account and install the extension, but I'm just going to treat it as a good nudge to move off of webmail and back into a proper email client.
-
Just to close the loop for anyone who comes across this post in the future with a similar problem (even though this is probably an edge case), I was able to fix the behavior by creating a custom website permissions entry for chromewebstore.google.com that changes Allow to Block from the default Global Permission setting for cookies. Now it can't read any cookies that have my Workspaces login.
-
@ryanpage
Hi and thank you for the information.
Is it possible disable this setting setting does the same?
-
@mib2berlin That looks like it would disable installing extensions from the Web Store, but when I disabled it I was able to install an extension (I want to be able to install extensions either way, so it is currently working the way I want).
