Conversation
MKodde
left a comment
MKodde
left a comment
There was a problem hiding this comment.
Conceptually this makes lots of sense. Not sure about the logout button tho, or did that also trigger the same CSP error?
Given the fact we are not actually logging out, this is not a big issue in my opinion.
| <p>{{ 'ss.registration.vetting_type.description.ra_vetting'|trans }}</p> | ||
| <form action="{{ url('ss_registration_send_registration_email', {'secondFactorId': secondFactorId}) }}" method="get"> | ||
| <a href="{{ url('ss_registration_send_registration_email', {'secondFactorId': secondFactorId}) }}"> | ||
| <button type="submit" class="btn btn-primary">{{ 'ss.registration.vetting_type.button.ra_vetting'|trans }}</button> |
There was a problem hiding this comment.
This construction is not 100% yet from a html structure point of view.
I'd say: remove the <button> element but keep the button text as the anchor text for the <a> element. And style the <a> to make it look like a button. I think we already have utility (css) classes ready for that.
Would you be so kind to look into that?
There was a problem hiding this comment.
Sorry, I spent the entire afternoon but I can't get it to look visually the same without the button-tags. Leaving it 'as-is', but feel free to try it yourself
| {% if app.user %} | ||
| <div class="clearfix page-header-user"> | ||
| <form method="post" action="{{ logout_url('saml_based') }}" class="pull-right"> | ||
| <a href="{{ logout_url('saml_based') }}" class="pull-right"> |
|
Logout got me the same CSP-error yes. Our logout-url is on another domain. |
| {% if app.user %} | ||
| <div class="clearfix page-header-user"> | ||
| <form method="post" action="{{ logout_url('saml_based') }}" class="pull-right"> | ||
| <a href="{{ logout_url('saml_based') }}" class="pull-right"> |
There was a problem hiding this comment.
I don't think this will work because it changes the POST to a GET, and selfservice does not allow GET requests to the logout endpoint.
There was a problem hiding this comment.
That's cheating, because the GET-method was only removed two weeks ago ;)
There was a problem hiding this comment.
Not quite, in 4.0.9 (released Jun 6, 2023) I can also not use GET for logout, it only accepts POST.
thijskh
left a comment
thijskh
left a comment
There was a problem hiding this comment.
As noted in the comment, this appears to break logout when merged as-is
4 participants
When setting a Content-Security-Policy with
form-action *.<your-domain>.nl, the forms won't work in Edge/Chrome.See this article, paragraph "Can the form-action redirect to another url?" for the reason behind this. TL;DR: Edge/Chrome does not allow the form's POST-destination to perform a redirect.
Replacing the unnecessary forms with simple links resolves this issue and allows for a stricter CSP-policy.
Previously discussed on Slack with @MKodde