Lando POST https://lando.services.mozilla.com/settings redirects to auth.mozilla.auth0.com, but is blocked by CSP
Categories
(Conduit :: Lando, defect)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
Details
I tried to set a Phabricator token in Lando because I wanted to uplift a patch.
The UI displayed an error message, "Connection error" or something, with no further information.
Upon opening the devtools console, I see that the POST request was redirected to Auth0, and blocked by CSP:
- POST to:
https://lando.services.mozilla.com/settings - Redirect target (blocked by CSP):
https://auth.mozilla.auth0.com/authorize?client_id=...&response_type=code&scope=openid+profile+email+lando&redirect_uri=https%3A%2F%2Flando.services.mozilla.com%2Fredirect_uri&state=...&audience=https%3A%2F%2Fapi.lando.services.mozilla.com&prompt=none
Upon reloading the page, I could set the Phabricator token without issues.
|
||
Comment 1•26 days ago
•
|
||
Is this issue reproducible? Most likely, the session had to be refreshed before the request could go through, which could happen if you had been on the page for a while (>15min) before attempting to update the settings.
|
Reporter | |
Comment 2•26 days ago
|
||
It all happened within a minute:
- I opened Lando for a Phabricator revision.
- I misclicked on Phabricator (not logged in by the way), hit back and then clicked on the settings icon to open the UI to input a Phabricator token.
- I opened Phabricator in a container tab, copied the token and pasted it in the UI from step 2.
- Observed errors as mentioned in the report.
- I reload the tab and retried, without issues.
I cannot reproduce the issue, so all that can be done is to review the code that triggers POST to the /settings endpoint (on the client) and/or the handler of /settings. Then check why it redirects to Auth0 and whether it should do that, and whether it needs to be accepted by the CSP (connect-src).
Description
•