Closed michael-smt closed 2 weeks ago
nijel
commented
2 weeks ago The intention was to handle that automatically, but the code doesn't cover all the cases:
PS: There is also https://github.com/WeblateOrg/weblate/issues/12302
PS2: I think in both cases it would be addressed by using authorization_url() method instead of AUTHORIZATION_URL atribute.
github-actions[bot]
commented
2 weeks ago Thank you for your report; the issue you have reported has just been fixed.
github-actions[bot]
commented
2 weeks ago Thank you for your report; the issue you have reported has just been fixed.
Describe the problem
The stricter Content Security Policy since Weblate 5.7 requires careful configuration of the
CSP_FORM_SRCwhen using social authentication providers, because some browsers block redirects after a form submission.Describe the solution you would like
It would be nice if enabling a social auth provider would also automatically set the appropriate
form-actionContent Security Policy header values.For example when
WEBLATE_SOCIAL_AUTH_AUTH0_DOMAINis configured it could be automatically added toWEBLATE_CSP_FORM_SRC.Describe alternatives you have considered
Describe the required setting of
CSP_FORM_SRCin the social provider documentation based on the experience from hosted.weblate.org.Screenshots
No response
Additional context
Depending on the provider (Auth0, possibly also others) there might be additional redirects to other authentication providers, these could not be automatically configured.