Differential D19159
Include OAuth targets in "form-action" Content-Security-Policy Authored by epriestley on Mar 1 2018, 3:25 AM. Tags None Referenced Files
Subscribers
Details
Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form. Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI. Clicked all my registration buttons locally without hitting CSP issues.
Diff Detail
Event TimelineComment Actions I just did a fresh install of Phabricator with only Slack OAuth enabled (no password login) and I'm running in to this, it says "Refused to load <url> because it does not appear in the form-action directive of the Content Security Policy." in the console when clicking the Log In or Register button to log in. Interestingly it didn't seem to have trouble registering for an account, but refuses to log in. Same issue on Chrome and in Safari. Restarted apache which didn't seem to make a difference. It seems directly related to this commit. How can I help debug this? Is this a config problem, or something else I need to do to make this work? Comment Actions @epriestley Forgive me if you already got a notification about this, but I don't see your name as a subscriber so I wasn't sure if you would see it or not. |