Closed Bug 1646559 Opened 3 months ago Closed 3 months ago

Phabricator to BMO OAuth2 authentication fails to work properly due to CSP protections

Categories

(bugzilla.mozilla.org :: Phabricator Integration, defect)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: dkl, Assigned: dkl)

References

Details

Attachments

(1 file)

46 bytes, text/x-github-pull-request
Details | Review

Under Firefox it works fine but if you try to authenticate to BMO from Phabricator using OAuth2, once you confirm the scopes in Chrome the redirect back to Phabricator is cancelled. If you copy the Location: value from the header generated by BMO and paste it directly to Phabricator, the authentication succeeds and you are logged in.

Adding the current Phabricator host to the form_action allowed section of the CSP header solves this issue.

Patch coming.

Attached file GitHub Pull Request

More information:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action

"Whether form-action should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g. Firefox 57 doesn't block the redirects whereas Chrome 63 does)."

We are doing a redirect right after a form submission which Firefox does not block but Chrome does which is why we need to whitelist Phabricator in the form_action CSP directive.

See Also: → 1645034

Merged to master.

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Blocks: 1646200
You need to log in before you can comment on or make changes to this bug.