projects
/
rails.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
4634c6b
)
Completely remove form-action restrictions for OAuth callbacks
author
Tom Hughes
<tom@compton.nu>
Wed, 23 May 2018 11:09:21 +0000
(12:09 +0100)
committer
Tom Hughes
<tom@compton.nu>
Wed, 23 May 2018 11:09:21 +0000
(12:09 +0100)
The CSP3 draft only allows a * rule match network schemes and
mobile devices often use callbacks to custom URL schemes.
app/controllers/oauth_controller.rb
patch
|
blob
|
history
diff --git
a/app/controllers/oauth_controller.rb
b/app/controllers/oauth_controller.rb
index ae6d0983b8fbcb89f10c9ef123d515b3fc6ccb29..801d88a18020642b60c8546473d8aaef1eaf1963 100644
(file)
--- a/
app/controllers/oauth_controller.rb
+++ b/
app/controllers/oauth_controller.rb
@@
-38,7
+38,7
@@
class OauthController < ApplicationController
protected
def oauth1_authorize
-
append_content_security_policy_directives(:form_action => %w[*]
)
+
override_content_security_policy_directives(:form_action => false
)
if @token.invalidated?
@message = t "oauth.authorize_failure.invalid"