Here’s one for the conspiracy theorists: It turns out that Google App Engine, their new platform for building and hosting third party web applications, is blocking applications from integrating with PayPal for payments.
Developers who are building apps that use PayPal to handle payments usually require the application to send a request to the PayPal service. The URL’s used in these requests are all on the paypal.com domain name, and there is a test environment setup on a URL at http://www.sandbox.paypal.com. In Google App Engine apps, requests to either of these URL’s returns a generic ‘download’ error with no specific details.
A number of developers complained in a Google App Engine forum discussing the issue (also on Hacker News), where they also found a way to bypass the restriction by using a third-party proxy (like TinyURL). Then, early this morning, a Google employee named Marzia Niccolai wrote a comment, saying that the error was caused by their anti-phishing protections:
Thanks for the report! This is a bug, and we have located the problem. There was an error in our anti-phishing protections that was blocking some specific URL domains from being fetched using the URLFetch service. This was an oversight on our part, and these specific domain restrictions will be removed in the next few days.
Normally something like this wouldn’t raise too many eyebrows. But there’s too much bad blood between Google and eBay not to question this, and Google’s anti-phishing blacklist does not, of course, list the paypal.com domain as a phishing site.
Most developers who have commented on this so far strongly believe that this was a deliberate block by Google. So far, we can only take Google at their word that blocking Paypal was an accident because of the way their anti-phishing rules work. But with so many phishing sites involving Paypal, you would think that when implementing their rules they would at least check that the real Paypal site still works. Besides, the Google.com phishing test shows that Paypal is considered a safe site.
Why would it be different for App Engine? To make things more suspicious, that phishing test tool was launched last month.
We have emailed Google for a comment and will be updating this post as news comes in.
Update: In the post we mentioned that some developers were using a third-party server and/or domain to proxy requests to PayPal. It turns out that even those proxy requests no longer work (they did at some point), leaving one of the developers on that thread to conclude ‘I guess they are blocking PayPal at their (Google’s) gateway..’.