From 701a9bc339b9d419326a62e85ef13666b08046cd Mon Sep 17 00:00:00 2001 From: epriestley Date: Fri, 22 Feb 2019 16:28:43 -0800 Subject: [PATCH] Fix Facebook login on mobile violating CSP after form redirect Summary: Fixes T13254. See that task for details. Test Plan: Used iOS Simulator to do a login locally, didn't get blocked. Verified CSP includes "m.facebook.com". Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13254 Differential Revision: https://secure.phabricator.com/D20206 --- .../PhabricatorFacebookAuthProvider.php | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/src/applications/auth/provider/PhabricatorFacebookAuthProvider.php b/src/applications/auth/provider/PhabricatorFacebookAuthProvider.php index e3e1fb43e5..67840727e8 100644 --- a/src/applications/auth/provider/PhabricatorFacebookAuthProvider.php +++ b/src/applications/auth/provider/PhabricatorFacebookAuthProvider.php @@ -47,6 +47,14 @@ final class PhabricatorFacebookAuthProvider return 'Facebook'; } + protected function getContentSecurityPolicyFormActions() { + return array( + // See T13254. After login with a mobile device, Facebook may redirect + // to the mobile site. + 'https://m.facebook.com/', + ); + } + public function readFormValuesFromProvider() { $require_secure = $this->getProviderConfig()->getProperty( self::KEY_REQUIRE_SECURE); @@ -114,15 +122,4 @@ final class PhabricatorFacebookAuthProvider return parent::renderConfigPropertyTransactionTitle($xaction); } - public static function getFacebookApplicationID() { - $providers = PhabricatorAuthProvider::getAllProviders(); - $fb_provider = idx($providers, 'facebook:facebook.com'); - if (!$fb_provider) { - return null; - } - - return $fb_provider->getProviderConfig()->getProperty( - self::PROPERTY_APP_ID); - } - }