Page MenuHomePhabricator

Include OAuth targets in "form-action" Content-Security-Policy

Authored by epriestley on Mar 1 2018, 3:25 AM.



Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form.

Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI.

Test Plan

Clicked all my registration buttons locally without hitting CSP issues.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 3:27 AM
epriestley requested review of this revision.
This revision was automatically updated to reflect the committed changes.

I just did a fresh install of Phabricator with only Slack OAuth enabled (no password login) and I'm running in to this, it says "Refused to load <url> because it does not appear in the form-action directive of the Content Security Policy." in the console when clicking the Log In or Register button to log in. Interestingly it didn't seem to have trouble registering for an account, but refuses to log in. Same issue on Chrome and in Safari. Restarted apache which didn't seem to make a difference.

It seems directly related to this commit. How can I help debug this? Is this a config problem, or something else I need to do to make this work?

@epriestley Forgive me if you already got a notification about this, but I don't see your name as a subscriber so I wasn't sure if you would see it or not.