[openstreetmap/openstreetmap-website] OAuth2 form-action CSP error (Issue #3424)

[Robbendebiene]

> Have you already authorized the application? What happens if you remove that authorization - does it work then?

If the application is already authorized then we get "stuck" at the login screen with the reported failure.

If not then everything works as expected without any error. First the login screen appears, then the "grant permissions" page, where the confirmation successfully closes the web view and redirects to our app.

> I suspect what is happening is that login is redirecting to authorize which is then redirecting to your callback because the application was already authorized and the browser is applying the original policy from login rather than the one send by the redirect to authorize.

Sounds plausible to me.

> That's a pain because it means reducing the policy for login even more :-(

I see, but couldn't this be at least made exceptional? So it is only loosened when containing the redirect to the ouath authorization end point?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3424#issuecomment-1014383685
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/3424/1014383685 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220117/79b65c13/attachment.htm>