Aral Balkan: Historical Archive — Google App Engine not blocking PayPal?

Google App Engine not blocking PayPal?

Update: Marzia from the Google App Engine team responded to the post. It is a bug (and, according to yet another update on the forums, this has now been fixed).

Here's Marzia's comment:

This is a bug, and we have located the problem. There was an error in our anti-phishing protections that was blocking some specific URL domains from being fetched using the URLFetch service. This was an oversight on our part, and these specific domain restrictions will be removed in the next few days.

Great news, Marzia, thanks! :) It's definitely going to make my life easier to be able to reach PayPal from Google App Engine.

Original post follows:

You know that I am very optimistic and supportive of Google App Engine but something I read today has made me a little worried.

It appears that Google App Engine is deliberately blocking PayPal URLs. At first people thought this was due to a technical glitch, but, according to Petko D. Petkov on the Google App Engine forum, the calls succeed when using a forwarding URL (like TinyURL).

To quote Petko's post:

Apparently Google blocks URLs to paypal but with a bit of creativity we can bypass this restriction. . .
Requests to:
https://www.paypal.com/cgi-bin/webscr https://www.sandbox.paypal.com/cgi-bin/webscr
are blocked . . . in order to bypass them we need to change the paypal URLs to something different. For example, we can use tinyurl. . .
http://tinyurl.com/3ro7da
which is actually
https://www.sandbox.paypal.com/cgi-bin/webscr
If we send the post verification to that URL, we bypass the restriction

If this is true, I can't see how this move demonstrates good faith on Google's part. It doesn't seem to gel with their "do no evil" policy or, as Petko states, their championing of the open web.

So far, Google has been completely silent on this issue.

I hope that changes. And I hope this is a bug.

At the very least, someone from Google needs to explain to us why they are blocking PayPal URLs.

If this is true, it sets a dangerous precedent that should give any developer considering Google App Engine pause: Will Google use its position of power to dictate which services and web sites your applications will be able to access? We need a clear policy statement on this.

So, Google, what do you say?

Comments

This is not good hopefully it is a beta glitch or sandboxing that will go away. Maybe they didn't want anyone's business running off the beta version of GApps for liability reasons and will turn it on at launch. There have been a few times where the datastores have been down and I can see if I was making money off the beta that this could raise some important business issues. I am sure they will allow it and I am also sure they will have a Checkout API soon :). And Zaphod, you are right that white pixel is quite boisterous.
by ryan on 2008-06-10 15:13:09
Hi Aral, I really hope that is just some bug as you say. But more importantly, you have a stuck white pixel next to your left ear in your header image! Ohhhh the humanity!!!
by Zaphod on 2008-06-10 14:42:34
In the_phantom.jpg. Didn't realize your headers cycle. 8-D
by Zaphod on 2008-06-10 14:44:08
You really think this is a bug? A rival site that generates money for google being blocked is a "mistake"? Hrm. Let's wait a bit before judging, but I have a slight suspicion ...
by markus on 2008-06-10 18:11:50
How about payments through Google's own payment system? Sounds a little to convenient to call it a bug.
by Chad Udell on 2008-06-11 01:04:07
@flex: Whatever it was is not that important any more -- it was discussed publicly, Google responded, the issue has been fixed, end of story. That's how we deal with things on the Internet -- snap, snap! :)
by Aral on 2008-06-11 08:03:54
Oh and guys, I'm going to fix the one white pixel issue right _after_ I launch the new Singularity teaser site on Google App Engine. I know, I know, priorities! :) Seriously though, that little guy's been bothering the heck out of me too!
by Aral on 2008-06-11 07:56:39
Wow, this is pretty serious. And an error in anti-phishing that blocks specific URLs? Specifically, competitive URLs? Yikes. They could take a service down and be like, "Oops, sorry, we were just trying to be good and block phishing attempts." Uh huh.. Thanks for the post Aral.
by Shane Conder on 2008-06-10 18:25:00
To be fair, many phishing attacks *are* related to PayPal, so it's not obviously *complete* nonsense. And anti-phishing solution clearly *has* to work with specific URLs, that's how you blacklist, well, specific URLs that host scam pages.
by xxx on 2008-06-10 19:21:00
Come one .. enough with the conspiracy theories already. Of course this is a non-intentional bug. Google is not this stupid - thinking they can block PayPal without anyone noticing - *AND* if someone notices just call it a bug. Does that sound like a plan someone at Google would come up with? :-)
by flex on 2008-06-11 07:01:04
Hi Aral, It looks like you not subscribed to Slashdot Here is the link: http://tech.slashdot.org/article.pl?sid=08/05/31/1452238 So, if Ebay(PayPal) restricts all the payments to PayPal, why not Google to restrict payments to Google Checkout only? Sounds logical to me. Cheers, Dmitri.
by mitek on 2008-06-11 10:05:56
They better fix that soon, if it is indeed a bug. Otherwise Google is siding against the net neutrality that makes them so rich. By the way, a picture of your face holding something with a picture of your face? Can someone say narcissism? (http://aralbalkan.com/wp-content/themes/k2/images/headers/dot_net_mag.jpg).
by Nonie Harding on 2008-06-10 16:46:57
Hi Aral, We posted this on the groups, but I just wanted to follow up on your blog post as well. This is a bug, and we have located the problem. There was an error in our anti-phishing protections that was blocking some specific URL domains from being fetched using the URLFetch service. This was an oversight on our part, and these specific domain restrictions will be removed in the next few days. Thanks, -Marzia
by Marzia on 2008-06-10 18:14:04
Thanks, Marzia, I've updated the blog post with your comment.
by Aral on 2008-06-11 07:48:40