Maniphest T13254

"Login with Facebook" may fail CSP after redirect to "m.facebook.com"
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	epriestley
	Feb 21 2019, 5:22 PM

Tags

Referenced Files

None

Subscribers

Description

Reproduction instructions:

Visit secure.phabricator.com while logged out from an iPhone.
Click "Login with Facebook".

Actual behavior:

Facebook redirects to m.facebook.com.
This is not part of the form-action CSP.
The very sketchy redirect-after-post CSP rule blocks the request.

"Solution":

Add m.facebook.com to the form-action CSP.

In a perfect world:

Browsers should drop this redirect-after-post CSP rule because it makes these workflows impossible to get right without enumerating all of the behaviors of Facebook/Google/etc/etc and updating every CSP-respecting client if they change.

Revisions and Commits

rP Phabricator
	D20206	rP701a9bc339b9 Fix Facebook login on mobile violating CSP after form redirect

Event Timeline

epriestley triaged this task as Low priority.Feb 21 2019, 5:22 PM

epriestley created this task.

Herald added a subscriber: amckinley. · View Herald TranscriptFeb 21 2019, 5:22 PM

epriestley added a revision: D20206: Fix Facebook login on mobile violating CSP after form redirect.Feb 23 2019, 12:58 AM

epriestley closed this task as Resolved by committing rP701a9bc339b9: Fix Facebook login on mobile violating CSP after form redirect.Feb 23 2019, 1:25 PM

epriestley added a commit: rP701a9bc339b9: Fix Facebook login on mobile violating CSP after form redirect.