-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic configuration of Content Security Policy form-action for Social Auth #12321
Comments
The intention was to handle that automatically, but the code doesn't cover all the cases: Lines 336 to 347 in 9259f38
PS: There is also #12302 PS2: I think in both cases it would be addressed by using |
Do not use attributes, but rather rely on methods which will apply configuration and other sources for building the URL. Fixes WeblateOrg#12302 Fixes WeblateOrg#12321
Thank you for your report; the issue you have reported has just been fixed.
|
1 similar comment
Thank you for your report; the issue you have reported has just been fixed.
|
Describe the problem
The stricter Content Security Policy since Weblate 5.7 requires careful configuration of the
CSP_FORM_SRC
when using social authentication providers, because some browsers block redirects after a form submission.Describe the solution you would like
It would be nice if enabling a social auth provider would also automatically set the appropriate
form-action
Content Security Policy header values.For example when
WEBLATE_SOCIAL_AUTH_AUTH0_DOMAIN
is configured it could be automatically added toWEBLATE_CSP_FORM_SRC
.Describe alternatives you have considered
Describe the required setting of
CSP_FORM_SRC
in the social provider documentation based on the experience from hosted.weblate.org.Screenshots
No response
Additional context
Depending on the provider (Auth0, possibly also others) there might be additional redirects to other authentication providers, these could not be automatically configured.
The text was updated successfully, but these errors were encountered: