@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Perform a client-side redirect after OAuth server authorization
Summary:
Ref T13099. See that task for discussion. Chrome is unhappy with an MFA form submitting to an endpoint which redirects you to an OAuth URI.
Instead, do the redirect entirely on the client.
Chrome's rationale here isn't obvious, so we may be able to revert this at some point.
Test Plan: Went through the OAuth flow locally, was redirected on the client. Will verify in production.
Maniphest Tasks: T13099
Differential Revision: https://secure.phabricator.com/D19177
+42
-3
+6
resources/celerity/map.php
+6
resources/celerity/map.php
···
502
502
'rsrc/js/core/behavior-phabricator-nav.js' => '836f966d',
503
503
'rsrc/js/core/behavior-phabricator-remarkup-assist.js' => 'acd29eee',
504
504
'rsrc/js/core/behavior-read-only-warning.js' => 'ba158207',
505
+
'rsrc/js/core/behavior-redirect.js' => '0213259f',
505
506
'rsrc/js/core/behavior-refresh-csrf.js' => 'ab2f381b',
506
507
'rsrc/js/core/behavior-remarkup-preview.js' => '4b700e9e',
507
508
'rsrc/js/core/behavior-reorder-applications.js' => '76b9fc3e',
···
686
687
'javelin-behavior-project-create' => '065227cc',
687
688
'javelin-behavior-quicksand-blacklist' => '7927a7d3',
688
689
'javelin-behavior-read-only-warning' => 'ba158207',
690
+
'javelin-behavior-redirect' => '0213259f',
689
691
'javelin-behavior-refresh-csrf' => 'ab2f381b',
690
692
'javelin-behavior-releeph-preview-branch' => 'b2b4fbaf',
691
693
'javelin-behavior-releeph-request-state-change' => 'a0b57eb8',
···
933
935
'javelin-json',
934
936
'javelin-dom',
935
937
'phabricator-keyboard-shortcut',
938
+
),
939
+
'0213259f' => array(
940
+
'javelin-behavior',
941
+
'javelin-uri',
936
942
),
937
943
'04b2ae03' => array(
938
944
'javelin-install',
+27
-3
src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
+27
-3
src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
···
172
172
));
173
173
174
174
if ($client->getIsTrusted()) {
175
-
return id(new AphrontRedirectResponse())
176
-
->setIsExternal(true)
177
-
->setURI((string)$full_uri);
175
+
// NOTE: See T13099. We currently emit a "Content-Security-Policy"
176
+
// which includes a narrow "form-action". At the time of writing,
177
+
// Chrome applies "form-action" to redirects following form submission.
178
+
179
+
// This can lead to a situation where a user enters the OAuth workflow
180
+
// and is prompted for MFA. When they submit an MFA response, the form
181
+
// can redirect here, and Chrome will block the "Location" redirect.
182
+
183
+
// To avoid this, render an interstitial. We only actually need to do
184
+
// this in Chrome (but do it everywhere for consistency) and only need
185
+
// to do it if the request is a redirect after a form submission (but
186
+
// we can't tell if it is or not).
187
+
188
+
Javelin::initBehavior(
189
+
'redirect',
190
+
array(
191
+
'uri' => (string)$full_uri,
192
+
));
193
+
194
+
return $this->newDialog()
195
+
->setTitle(pht('Authenticate: %s', $name))
196
+
->setRedirect(true)
197
+
->appendParagraph(
198
+
pht(
199
+
'Authorization for "%s" confirmed, redirecting...',
200
+
phutil_tag('strong', array(), $name)))
201
+
->addCancelButton((string)$full_uri, pht('Continue'));
178
202
}
179
203
180
204
// TODO: It would be nice to give the user more options here, like