Skip to first unread message
Hari Shankar Das
Sep 17, 2019, 3:42:36 PM9/17/19
to google-apps-sc...@googlegroups.com
I have an Apps Script based Project for Gmail. As per the last email from Google, Security Assessment can be avoided if the app is converted to client-only app instead of server side. An example is https://www.deseat.me/
So I removed all URL Fetch App calls from my code and made other changes and replied back on the same email. It has been 2 weeks but no reply. Has anybody faced similar situation ? Did anybody able to skip security assessment by doing such changes ?
The last date for Security Assessment is approaching and I can't afford the cost of the assessment (> $15000). Any help is greatly appreciated.
Romain Vialard
Sep 18, 2019, 4:03:45 AM9/18/19
to Google Apps Script Community
Yes, I can confirm that removing the script.external_request scope will free you from having to go through the Security Assessment.
It took me a while to get a confirmation, nearly 2 months between the time I've updated the app and the confirmation.
At the end, I simply received a standard confirmation email stating that "Your OAuth App Verification request for project api-project-XXX has been approved for the following scopes" and enumerating all the scopes I was using, including "https://mail.google.com/" but not script.external_request that I was able to remove.
Hari Shankar Das
Sep 25, 2019, 1:02:37 PM9/25/19
to Google Apps Script Community
Thanks @Romain for the info. Seems like I will have to wait for another 1 month.
Hari Shankar Das
Sep 27, 2019, 8:38:41 AM9/27/19
to Google Apps Script Community
In the console https://console.cloud.google.com/home/dashboard, if you go to your project and select
"API & Services" -> OAuth consent screen
Does it show verification status as "Verified" ?
In my case it shows "Pending security assessment."
Romain Vialard
Sep 27, 2019, 10:05:42 AM9/27/19
to Google Apps Script Community
Yes, verified.
Hari Shankar Das
Nov 9, 2019, 1:46:50 AM11/9/19
to Google Apps Script Community
It has been over 45 days and still there is no reply from Google.
On Friday, 27 September 2019 19:35:42 UTC+5:30, Romain Vialard wrote:
This is what is is displayed in my developer console:
Pending security assessment (last approved consent screen is still in use)
What should I do ? Any suggestion ? The last date for security assessment is getting nearer.
On Friday, 27 September 2019 19:35:42 UTC+5:30, Romain Vialard wrote:
Yes, verified.
Alan Wells
Nov 9, 2019, 6:40:36 AM11/9/19
to Google Apps Script Community
You have a scope of:
That scope permits:
Full access to the account, including permanent deletion of threads and messages. This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.
It is a restricted scope. https://developers.google.com/gmail/api/auth/scopes
Restricted scopes require a security assessment.
I can't believe that just removing UrlFetchApp.fetch(url) is going to exempt you from getting the security assessment if you are using that scope. And if you are using scope https://mail.google.com/, then it's pointless to list scope:
../auth/script/sendmail/
I'm not the person who can give you an official answer. (Good luck getting that.)
But according to the documentation, you need to get a security assessment if you're going to use scope.
Do you need to permanently delete threads and messages, bypassing trash? If you do, then you need scope:
And you'll need to get a security assessment. If just removing UrlFetchApp.fetch(url)
exempts you from getting a security assessment, then the documentation is wrong.
Romain Vialard
Nov 11, 2019, 3:49:25 PM11/11/19
to Google Apps Script Community
@Alan, as stated above, removing usage of Urlfetch will free you from having to go through the security assessment.
"It is critical that 3rd-party apps handling Gmail data meet minimum security standards to minimize the risk of data breach. We require apps that store data on servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request."
"If you don’t want to go through a security assessment, you will need to change your server storage to local storage only. Local client applications do not need to undergo a security assessment because data is run, stored, and processed only on the user's device (such as a computer, mobile phone, or tablet)."
Mani Doraisamy
Nov 11, 2019, 4:52:26 PM11/11/19
to google-apps-sc...@googlegroups.com
Hi Romain,
That's an interesting way to protect gmail data from falling into wrong hands. But, isn't it possible to include a pixel image in Gmail addon and pass all the data
to the third party server
as GET parameter of the image?regards,
mani
--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/8cef90dd-f9a0-48d4-8327-b249f242afb2%40googlegroups.com.
Alan Wells
Nov 11, 2019, 7:50:56 PM11/11/19
to Google Apps Script Community
That's good to know.
I did a search on the quote, and found this link for a Google cloud blog.
Andrew Apell
Nov 13, 2019, 3:22:40 PM11/13/19
to Google Apps Script Community
Send them an email... it worked for me and sped up the process
Hari Shankar Das
Nov 13, 2019, 11:46:04 PM11/13/19
to google-apps-sc...@googlegroups.com
Do you have any email id ? or you just replied on that thread ? I have already contacted them once.
Andrew Apell
Nov 13, 2019, 11:52:50 PM11/13/19
to Google Apps Script Community
I sent them mail here: oauth-f...@google.com
They will tell you what the delay is about
Hari Shankar Das
Nov 14, 2019, 8:13:53 AM11/14/19
to Google Apps Script Community
Thanks I will try to contact them.
Reply all
Reply to author
Forward
0 new messages