•  
      request #22710 Login forms uses different action URLs depending on the page
    Infos
    #22710
    Manuel Vacelet (vaceletm)
    2021-09-20 16:22
    2021-09-09 17:40
    24261
    Details
    Login forms uses different action URLs depending on the page

    Open a Tuleap homepage with it's IP address and try to login => browser refuse to login with because it violates the following Content Security Policy directive: "form-action 'self'"

    Then click on "Login" and try to authenticate => CSP are bypassed.

    Empty
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2021-09-17
    Attachments
    Empty
    References
    Referencing request #22710
    Referenced by request #22710

    Artifact Tracker v5

    rel #22587 13.1

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2021-09-16 18:19

    Yes please, I was waiting for 13.0 to start the integration

    Done. I allowed myself to rename the title of this request since this is not really about CSP and the rules are enforced in the expected way. gerrit #23841 will close the issue.

    That was not the intend. The goal was to have something consistent between the 2 login pages otherwise it's painful to troubleshoot.

    We agree then. Troubleshooting issues where CSP is involved can be tricky in those contexts.


    • Summary
      -login forms doesn't enforce CSP rules in a consitent way 
      +Login forms uses different action URLs depending on the page 
    • Status changed from New to Under review
    User avatar

    A lot of this could be simplified by the work done in gerrit #23841 and I can request its integration if it is something of interest

    Yes please, I was waiting for 13.0 to start the integration

    However, we cannot expect that accessing Tuleap with a different host than the one specified in the configuration is going to work

    That was not the intend. The goal was to have something consistent between the 2 login pages otherwise it's painful to troubleshoot.

    User avatar
    Thomas Gerbet (tgerbet)2021-09-16 16:59

    I took a quick look and there is no security issue here therefore I'm going to lift the restrictions set on the artifact.

    To explain what's going here:

    • some form actions and URLs on the homepage are prefixed with https://<sys_https_host> when sys_https_host is not empty. This is done to make sure credentials are not sent in clear over the network.
    • we have a CSP blocking form actions trying to send data to another origin because there is no good reason for Tuleap to ever do that.

    The instance was accessed with https://<ip> but sys_https_host was set to something else: the browser detected the origin between the two was different and denied the submission.

    A lot of this could be simplified by the work done in gerrit #23841 and I can request its integration if it is something of interest. However, we cannot expect that accessing Tuleap with a different host than the one specified in the configuration is going to work. There is a non negligible amount of things building URLs from the information given in the configuration so even if the login from homepage was successful it is very likely that issues would have been encountered.