Mastodon login doesn't work for Friendica instance

[kr428]

On my device (in combination with my mastodon instance), login with the embedded web view which is apparently used by AndStatus doesn't seem to work, though I get to the browser login and access granting page, I don't get redirected from there to the app so I can't login. With Firefox/Fennec/some other browsers on my device, this works well. Would it be possible to make AndStatus use the default browser rather than embedded web view for login?

[yvolk]

With Firefox/Fennec/some other browsers on my device, this works well.

Please explain, what "works well"? And how do you check this, step-by-step?

[kr428]

Ah, sorry. Yes. Expected flow: Enter URL of Mastodon instance. Be redirected to the instance login in a browser view. Enter your credentials. Grant access. Be redirected to Andstatus with OAuth token I guess.

On my device, with some instances of Mastodon of Friendica, this does not seem to work with the Android web view (for whichever reasons): Either I cannot log in at all or, after logging in and granting access, I don't get redirected to the app but just stay in the web view with nothing else happening. But using a browser like Firefox or Fennec, this flow works just as described for instances in apps like tooot or fedilab that use system default browser. Unfortunately, Andstatus seems to either always use the same web view (regardless of which is the default browser on my device) so I can't log in to some accounts in Andstatus this way. Does that help making it clearer....?

[yvolk]

Aha, got it. So it works with the same Mastodon instance, but using other Android apps ("tooot or fedilab that use system default browser"). Q1. Could you point me to the Mastodon instance, with which AndStatus login doesn't work. so I will register there and check what is wrong/different there. Q2. What's model of your device, and which Android version does it have?

[kr428]

Ah, it's a Friendica instance actually, with Mastodon API (https://loma.ml). The flow is the same however - for testing, in example, tooot (with this binary - https://github.com/tooot-app/app/releases) is my testing point for that. With "default" web view, I can't connect to the instance. With some other browsers (Chromium, Brave), I can't either. With Fennec or Firefox, I can.

Device is a Samsung M51, stock Android 12 ROM. Is there anything else I can debug here?

[yvolk]

@kr428 I created an account at Loma.ml and tried to login using AndStatus app. The login process stopped at the "Authorize..." page (another time - at Login page): tapping a form button ("Yes" on an authorize page, "Login" on another page...) produces this error in logs:

2022-06-18 15:15:59.718 7105-7105/org.andstatus.app I/chromium: [INFO:CONSOLE(0)] 
"Refused to send form data to 'http://oauth-redirect.andstatus.org/' 
because it violates the following Content Security Policy directive: 
"form-action 'self' *.loma.ml".
    ", source: https://loma.ml/oauth/acknowledge?return_path=oauth%2Fauthorize%3Fscope%3Dread%2Bwrite%2Bfollow%26response_type%3Dcode%26client_id%3D6ee2e631a65a0b11f0e3d4fb91decb7adf36a547cae231d3266f7466774f62ed%26redirect_uri%3Dhttp%253A%252F%252Foauth-redirect.andstatus.org%26state%3Dstate_55_1655554431549&application=AndStatus (0)

And really, in a response header from the server I do see, in particular:

content-security-policy: [default-src 'none'; connect-src 'self' *.loma.ml; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *.loma.ml; img-src 'self' https:; media-src 'self' https:; font-src 'self' *.loma.ml; style-src 'self' 'unsafe-inline' *.loma.ml; worker-src 'self' *.loma.ml; object-src 'self' *.loma.ml; base-uri 'self' *.loma.ml; frame-src 'self' https:; manifest-src 'self' *.loma.ml; 
frame-ancestors 'self' *.loma.ml; 
form-action 'self' *.loma.ml;], 

So looks like this is really a bug of the Friendica site that should be fixed by Friendica team. Switching to a browser that ignores such security problem is not a proper solution, I think.

More details on similar problem here: https://stackoverflow.com/questions/41942834/content-security-policy-not-allowing-form-submission

[AlfredSK]

Friendica doesn't ship a CSP. That's something the admin has configured manually for that node/server. So it needs to be fixed by the admin of that server, I think.

[yvolk]

Thank you @AlfredSK ! @kr428 Please report the configuration error to the site's Admin.