Page MenuHomePhabricator

Include OAuth targets in "form-action" Content-Security-Policy
ClosedPublic

Authored by epriestley on Mar 1 2018, 3:25 AM.
Tags
None
Referenced Files
F12805737: D19159.id45895.diff
Wed, Mar 27, 5:29 PM
Unknown Object (File)
Wed, Mar 20, 3:39 AM
Unknown Object (File)
Wed, Mar 20, 3:39 AM
Unknown Object (File)
Mon, Mar 18, 4:12 AM
Unknown Object (File)
Feb 7 2024, 3:58 AM
Unknown Object (File)
Jan 16 2024, 5:22 PM
Unknown Object (File)
Jan 10 2024, 1:27 PM
Unknown Object (File)
Dec 27 2023, 12:43 PM
Subscribers

Details

Summary

Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form.

Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI.

Test Plan

Clicked all my registration buttons locally without hitting CSP issues.

Diff Detail

Repository
rP Phabricator
Branch
csp7
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19706
Build 26689: Run Core Tests
Build 26688: arc lint + arc unit

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 3:27 AM
epriestley requested review of this revision.
This revision was automatically updated to reflect the committed changes.

I just did a fresh install of Phabricator with only Slack OAuth enabled (no password login) and I'm running in to this, it says "Refused to load <url> because it does not appear in the form-action directive of the Content Security Policy." in the console when clicking the Log In or Register button to log in. Interestingly it didn't seem to have trouble registering for an account, but refuses to log in. Same issue on Chrome and in Safari. Restarted apache which didn't seem to make a difference.

It seems directly related to this commit. How can I help debug this? Is this a config problem, or something else I need to do to make this work?

@epriestley Forgive me if you already got a notification about this, but I don't see your name as a subscriber so I wasn't sure if you would see it or not.