Phabricator to BMO OAuth2 authentication fails to work properly due to CSP protections
Categories
(bugzilla.mozilla.org :: Phabricator Integration, defect)
Tracking
()
People
(Reporter: dkl, Assigned: dkl)
References
Details
Attachments
(1 file)
Under Firefox it works fine but if you try to authenticate to BMO from Phabricator using OAuth2, once you confirm the scopes in Chrome the redirect back to Phabricator is cancelled. If you copy the Location: value from the header generated by BMO and paste it directly to Phabricator, the authentication succeeds and you are logged in.
Adding the current Phabricator host to the form_action allowed section of the CSP header solves this issue.
Patch coming.
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
More information:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
"Whether form-action should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g. Firefox 57 doesn't block the redirects whereas Chrome 63 does)."
We are doing a redirect right after a form submission which Firefox does not block but Chrome does which is why we need to whitelist Phabricator in the form_action CSP directive.
Assignee | ||
Comment 3•4 years ago
|
||
Merged to master.
Description
•