[openstreetmap/openstreetmap-website] Allow HTTP to localhost on list of redirect URIs for OAuth2 applications (Issue #3613)

[Tom Hughes]

Right so this isn't really CORS as such - that is where loading a resource is rejected because the resource has a CORS policy that prevents a cross origin load.

What is happening here is that the the popup is successfully redirecting back to the 127.0.0.1 URL but then tries to make a function call on the parent window and that is rejected the parent window has a different origin to the popup at that point.

If you had actually visited http://127.0.0.1:3000/ originally then everything would have worked and this setup (using a popup for the authentication) is tricky in general when there are multiple names for the site because you have to make sure the callback matches the name the user used to access the site.

I think a workaround would be for the callback to reload/redirect to the preferred name before making the function call to the parent - so if the callback knows the application was accessed as localhost but it is loaded as 127.0.0.1 then it reloads to localhost and only then does the function call.

We can consider allowing HTTP to localhost but I need to think if there are any security implications, because there is no guarantee that localhost resolves to a loopback address.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3613#issuecomment-1192447915
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/3613/1192447915 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220722/c1b9b9bb/attachment.htm>