OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
Modern browsers like Chrome follow the Content-Security-Policy directives. With the current version of helmet this is set to 'self' only: https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md#changed-3
Due to this, the forwarding to callback URLs during authorization is blocked by the browsers, if the host of the callback URL is not specified as form-action in the CSP header.
This change allows to configure the form-action parameter. If nothing is configured, it will still use the default of helmet.
Types of changes
What types of changes does your code introduce to the project: Put an x in
the boxes that apply
[x] Bugfix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality
to not work as expected)
Checklist
Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.
Proposed changes
Modern browsers like Chrome follow the Content-Security-Policy directives. With the current version of helmet this is set to 'self' only: https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md#changed-3 Due to this, the forwarding to callback URLs during authorization is blocked by the browsers, if the host of the callback URL is not specified as form-action in the CSP header.
This change allows to configure the form-action parameter. If nothing is configured, it will still use the default of helmet.
Types of changes
What types of changes does your code introduce to the project: Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.