We’re running Progressive Web Applications with push notifications enabled for Chrome and Samsung Internet, and encourage our users to add it to their home screen. We scrupulously log and monitor browser exceptions to preserve a high-quality service.
Since May 22, 2018, we have noticed a sudden rise of puzzling JavaScript exceptions originating from calls to standard, feature-detected Web APIs that had previously never failed.
For example, the following code would produce the following error, despite “push” clearly being a valid value per Permissions.query() specs:
const permissionStatus = await navigator
.permissions
.query({ name: 'push', userVisibleOnly: true });
TypeError: Failed to read the 'query' property from 'Permissions': The provided value 'push' is not a valid enum value of type PermissionName.
Upon closer inspection, we noticed that all such errors happened during script execution by user agents that are not our actual customers. Rather, we see an unknown client query our application right after our user visiting:
- User visits our PWA, no error is reported
- User uses “Add to Home Screen” (most of the times), no error is reported
- Unknown client visits our PWA, errors are reported.
This unknown client performs a HTTP Request bearing characteristic patterns:
- URL is the exact same as the one visited by the User
- Originating IP Address is assigned to Google, Inc. (66.102.0.0/20 or 66.249.64.0/19 range)
- Referrer is “https://www.google.com/”
- User Agent String somehow matches the one of the User: same version of Android, same device build, same browser, but a different browser version, always from this list:
- Chrome/66.0.3359.126 (May 22 → May 30)
- Chrome/66.0.3359.158 (June 11 → June 25)
- SamsungBrowser/3.0 Chrome/38.0.2125.102 (June 25 → June 27)
- SamsungBrowser/6.4 Chrome/56.0.2924.87 (May 22 → May 30, June 25)
- SamsungBrowser/7.0 Chrome/59.0.3071.125 (May 22 → May 30, June 25)
What’s more, these requests only occur intermittently, in a seemingly controlled way, as reflected by the dates above and the graph below:
This, and the fact that we detect usage of “Add to Home Screen” in most cases, make us wonder if this could be an experiment having to do with WebAPKs. However, this is undocumented, and thus very puzzling.
What is this unknown Google-originating client?
What is its purpose?
How should developers detect them, and what measures should be taken?
August 2018 Update: Requests such as described above seem to have vanished completely now… But they could have been some sort of prototype of a somehow-similar kind of requests we’re seeing now. These requests of a new kind are still originating from Google servers, and seem to exclusively target the Web Manifest of our PWA, therefore no JavaScript error is triggered anymore. They all bear a Chrome/59+ user agent string clearly postfixed (via Google-Chrome-WebAPK)
. Other browsers, such as Samsung Internet, have yet to be spotted.
This might be a headless Chrome (probably pre-release tests, in case you have it in the Play Store), which does not feature
push
permission; eg. with Pupeteer, one can only override permissions, but not really accept the permission prompt... and there generally is no desktop attached, where one could push notifications to.Just
try
andcatch
to sort out clients not supportingpush
permission.