~tsileo/microblog.pub-devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[PATCH] remote follow: use HTML redirect to work around CSP issue

Kevin Wallace <doof@doof.net>
Details
Message ID
<20221111175111.13451-1-doof@doof.net>
DKIM signature
missing
Download raw message
2 years ago
Patch: +23 -3 
In Chrome, I get the following when trying to use the remote follow form:

    Refused to send form data to 'https://example.com/remote_follow'
    because it violates the following Content Security Policy directive:
    "form-action 'self'".

It seems some browsers (but notably not Firefox) apply the form-action
policy to the redirect target in addition to the initial form
submission endpoint.  See:

    https://github.com/w3c/webappsec-csp/issues/8

In that thread, this workaround is suggested.
---
 app/main.py | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/app/main.py b/app/main.py
index 37e1ab8..e25cc9d 100644
--- a/app/main.py
+++ b/app/main.py
@@ -1,4 +1,5 @@
import base64
import html
import os
import sys
import time
@@ -38,6 +39,7 @@ from starlette.background import BackgroundTask
from starlette.datastructures import Headers
from starlette.datastructures import MutableHeaders
from starlette.exceptions import HTTPException as StarletteHTTPException
from starlette.responses import HTMLResponse
from starlette.responses import JSONResponse
from starlette.types import Message
from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware  # type: ignore
@@ -254,6 +256,25 @@ class ActivityPubResponse(JSONResponse):
    media_type = "application/activity+json"


class HTMLRedirectResponse(HTMLResponse):
    """
    Similar to RedirectResponse, but uses a 200 response with HTML.

    Needed for remote redirects on form submission endpoints,
    since our CSP policy disallows remote form submission.
    https://github.com/w3c/webappsec-csp/issues/8#issuecomment-810108984
    """

    def __init__(
        self,
        url: str,
    ) -> None:
        super().__init__(
            content=f'<a href="{html.escape(url)}">Continue to remote resource</a>',
            headers={"Refresh": "0;url=" + url},
        )


@app.get(config.NavBarItems.NOTES_PATH)
async def index(
    request: Request,
@@ -961,7 +982,7 @@ async def post_remote_follow(
    request: Request,
    csrf_check: None = Depends(verify_csrf_token),
    profile: str = Form(),
) -> RedirectResponse:
) -> HTMLRedirectResponse:
    if not profile.startswith("@"):
        profile = f"@{profile}"

@@ -970,9 +991,8 @@ async def post_remote_follow(
        # TODO(ts): error message to user
        raise HTTPException(status_code=404)

    return RedirectResponse(
    return HTMLRedirectResponse(
        remote_follow_template.format(uri=ID),
        status_code=302,
    )


-- 
2.35.1
Thomas Sileo <t@a4.io>
Details
Message ID
<3cf7d86f-291e-4581-b1d1-d2494cbbb6e2@app.fastmail.com>
In-Reply-To
<20221111175111.13451-1-doof@doof.net> (view parent)
DKIM signature
missing
Download raw message
2 years ago 
Hey!

I am using Firefox so I wasn't aware of this, that's a good catch! (and I think Firefox is doing "the right thing" :p).

I applied your patch, and made a little follow up commit here: https://git.sr.ht/~tsileo/microblog.pub/commit/0c5ce67d4ec2fa8b8d8628af28998313bcbb9ff0

Thank you!
Kevin Wallace <doof@doof.net>
Details
Message ID
<26100412-b234-48af-b576-9da9531fd048@app.fastmail.com>
In-Reply-To
<3cf7d86f-291e-4581-b1d1-d2494cbbb6e2@app.fastmail.com> (view parent)
DKIM signature
missing
Download raw message
2 years ago 
On Sun, Nov 13, 2022, at 8:39 AM, Thomas Sileo wrote:
> (and I think Firefox is doing "the right thing" :p).

Agreed - Chrome's behavior doesn't protect us from anything, and just makes things more complicated in cases like this.  Hopefully they update the spec to match Firefox.

Follow-up commit looks good!  Good catch on adding it to remote interactions, too.
Reply to thread Export thread (mbox)