fix popup auth broken due to new COOP header#138
Conversation
Reported-by: Sam Jose <samjosep512@gmail.com>
|
Well this is the first I'm hearing about it. |
|
FWIW, confirmed this change works in an internal iD fork. Let me know if I can be of any help to you all otherwise. |
1ec5
left a comment
1ec5
left a comment
There was a problem hiding this comment.
I’ve only used BroadcastChannel on occasion, but this looks about right to me.
|
How do you know if the popup window was closed by the user after this change? Any insight would be helpful. Thanks! |
Correct me if I'm wrong, but the COOP header intentionally makes this impossible, hence why this PR also reverts #135 🫤 This also prevents a dodgy referrer from polling |
|
That's my understanding as well, I hope you might have found a way to work around that... |
|
HOW THIS COULD BE SOLVED?, THERE IS NO POSSIBLE TO LOG IN |
|
I tested this out with a local build of Rapid and it seems ok. I had some concerns about how the messages get passed around,
So it sounds like a malicious app on the same origin could just listen for these messages. However I agree that this doesn't open up any new security risks, because anyway an app on the same origin can also just inspect the localStorage keys. I'm not sure whether this was ever documented clearly, but this is why multiple and not because the latter shares localStorage and the keys can conflict. |
7 participants
Caused by openstreetmap/openstreetmap-website@2ff4d6 , Closes #137
window.openercan't be used anymore, so we have to use aBroadcastChannelinstead. BroadcastChannels only support comms within the same origin, so this shouldn't introduce any new security risks in comparison to the existing solution, to the best of my knowledge.This is a breaking change because users need to manually update their
land.htmlfile.Unfortunately, this also reverts #135, which isn't possible anymore, since the popup window sets a restrictive COOP header