Allow redirects to authentication services from the settings page

Chrome and Safari require redirects to match the form-action rule as well as the original submission address.
2020-10-29 21:25:47 +00:00 · 2020-10-29 21:25:47 +00:00 · 20ce10a9ef
commit 20ce10a9ef
parent 484cb3f415
1 changed files with 4 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -119,6 +119,10 @@ class UsersController < ApplicationController
  def account
    @tokens = current_user.oauth_tokens.authorized

+    append_content_security_policy_directives(
+      :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
+    )
+
    if params[:user] && params[:user][:display_name] && params[:user][:description]
      if params[:user][:auth_provider].blank? ||
         (params[:user][:auth_provider] == current_user.auth_provider &&