From e9b314b2feb9af80e22cd026c3193dede09a8ce7 Mon Sep 17 00:00:00 2001
From: Helge Jung <hej@c3pb.de>
Date: Fri, 20 Dec 2024 09:46:17 +0100
Subject: [PATCH] SSO: add CSP policy 'form_action: *'

The OAuth2 workflow demands that a POST request be made back to the
requesting application. That request is currently blocked by CSP.
---
 src/core/views/sso.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/views/sso.py b/src/core/views/sso.py
index c9d1f4023..ec2548512 100644
--- a/src/core/views/sso.py
+++ b/src/core/views/sso.py
@@ -2,6 +2,7 @@ import calendar
 import json
 import logging
 
+from csp.decorators import csp_update
 from oauth2_provider.models import get_access_token_model
 from oauth2_provider.views import AuthorizationView, ClientProtectedScopedResourceView
 
@@ -24,12 +25,14 @@ class SelectedConferenceContextMixin:
         return ctx
 
 
+@method_decorator(csp_update(form_action='*'), name='dispatch')
 class OutOfBandDisplayTokenView(SelectedConferenceContextMixin, TemplateView):
     template_name = 'oauth2_provider/out-of-band-display-token.html'
 
 
+@method_decorator(csp_update(form_action='*'), name='dispatch')
 class AuthorizeView(SelectedConferenceContextMixin, AuthorizationView):
-    pass
+    template_name = 'oauth2_provider/authorize.html'
 
 
 @method_decorator(csrf_exempt, name='dispatch')
-- 
GitLab