Closed michael-smt closed 2 weeks ago
The intention was to handle that automatically, but the code doesn't cover all the cases:
PS: There is also https://github.com/WeblateOrg/weblate/issues/12302
PS2: I think in both cases it would be addressed by using authorization_url()
method instead of AUTHORIZATION_URL
atribute.
Thank you for your report; the issue you have reported has just been fixed.
Thank you for your report; the issue you have reported has just been fixed.
Describe the problem
The stricter Content Security Policy since Weblate 5.7 requires careful configuration of the
CSP_FORM_SRC
when using social authentication providers, because some browsers block redirects after a form submission.Describe the solution you would like
It would be nice if enabling a social auth provider would also automatically set the appropriate
form-action
Content Security Policy header values.For example when
WEBLATE_SOCIAL_AUTH_AUTH0_DOMAIN
is configured it could be automatically added toWEBLATE_CSP_FORM_SRC
.Describe alternatives you have considered
Describe the required setting of
CSP_FORM_SRC
in the social provider documentation based on the experience from hosted.weblate.org.Screenshots
No response
Additional context
Depending on the provider (Auth0, possibly also others) there might be additional redirects to other authentication providers, these could not be automatically configured.