0bca1d2bac
Safari enforces form-action against every hop in a form submission's redirect chain. When a user signed in (with TOTP, or through a skip_consent OIDC app), the chain /signin or /totp-verification -> /oauth/authorize -> external client got blocked at the cross-origin hop because form-action was 'self'. The existing dynamic CSP widening in OidcController#authorize only ran when the consent page rendered, so skip_consent and pre-consented flows had no widening at all. Add allow_oauth_redirect_in_csp on the sign-in and TOTP pages, which pulls the OAuth redirect_uri out of session[:return_to_after_authenticating] and appends its host to form-action for the rendered page.
6.7 KiB
6.7 KiB