Diffusion Phorge 94d340fcffab

Include OAuth targets in "form-action" Content-Security-Policy
94d340fcffab
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

Include OAuth targets in "form-action" Content-Security-Policy

Summary:
Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form.

Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI.

Test Plan: Clicked all my registration buttons locally without hitting CSP issues.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19159

Details

Provenance

epriestley	Authored on Feb 28 2018, 7:07 PM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rPd5befb1a0ea3: Block use of "<base />" in the Content Security Policy

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (6)

Path

Size

src/

aphront/

response/

AphrontResponse.php

applications/

auth/

provider/

PhabricatorAuthProvider.php

PhabricatorOAuth1AuthProvider.php

phortune/

provider/

PhortuneStripePaymentProvider.php

view/

form/

control/

AphrontFormRecaptchaControl.php

page/

PhabricatorStandardPageView.php

rP94d340fcffab

src/aphront/response/AphrontResponse.php

Loading...

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...

src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php

Loading...

src/applications/phortune/provider/PhortuneStripePaymentProvider.php

Loading...

src/view/form/control/AphrontFormRecaptchaControl.php

Loading...

src/view/page/PhabricatorStandardPageView.php

Loading...