eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(oauth): bypass form-action CSP blocking Connectors UI form submission (#2438)

Browse Source 
* fix(oauth): bypass form-action CSP via JS fetch + fix vercel.json CSP

Root cause: the Connectors WebView treats the page origin as something
other than https://api.worldmonitor.app (likely a null/app origin from
the native shell), so form-action 'self' blocked the consent form POST.

Changes:
- Consent form now uses JavaScript fetch() as primary submission path.
  form-action CSP only restricts HTML form submissions; fetch() is
  governed by connect-src, which already allows https:. The HTML form
  action remains as fallback with the absolute URL.
- Server detects X-Requested-With: fetch header and returns JSON
  { location } on success (so JS can navigate the WebView) or
  { error, nonce } on invalid key (so JS can update the form without
  a page reload). Native form POST path still returns 302.
- vercel.json: add sha256 hash of new inline script to script-src,
  and add explicit https://api.worldmonitor.app to form-action as
  belt-and-suspenders for browsers that resolve 'self' unexpectedly.

* feat(oauth): redesign consent/error pages with WorldMonitor UI + fix CSP script hash

- Redesign htmlError() and consentPage() to match WorldMonitor dashboard
  aesthetic (dark #0a0a0a bg, ui-monospace font, #2d8a6e teal, sharp corners)
- Add globe SVG logo, MCP capabilities list, and /pro link to consent page
- Fix vercel.json script-src hash: was sha256-1wYO... (computed from raw escape
  sequence) now sha256-GNMh... (computed from evaluated Unicode ellipsis)
- Script logic and DOM IDs unchanged; hash is now byte-perfect with served HTML

* fix(oauth): remove X-Requested-With header + allow null origin for WebView

Fixes two real P1 bugs caught in review:

1. X-Requested-With header made the fetch a non-simple CORS request, which
   triggered a preflight. The OPTIONS handler returned no
   Access-Control-Allow-Headers and vercel.json /oauth/* only allowed
   Content-Type/Authorization — so the preflight failed, and the form
   submission never reached the server.

   Fix: replace custom header detection with _js=1 POST body field.
   Content-Type: application/x-www-form-urlencoded is a simple CORS type
   with no custom headers, so no preflight is triggered.

2. WebView with opaque origin sends Origin: null (the literal string).
   The old check blocked any origin != https://api.worldmonitor.app,
   which returned 403 for every WebView submission.

   Fix: allow 'null' explicitly. The CSRF nonce (server-stored, atomic
   GETDEL, 10-min TTL) provides the actual security — origin is a
   defense-in-depth layer, not the primary guard.

Also adds 4 structural tests in edge-functions.test.mjs that will catch
regressions on both issues.
This commit is contained in:
Elie Habib
2026-03-28 21:19:51 +04:00
committed by GitHub
parent e43292b057
commit be679e8663
3 changed files with 133 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
vercel.json
View File

@@ -77,7 +77,7 @@
{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(self), accelerometer=(), autoplay=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), bluetooth=(), display-capture=(), encrypted-media=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=()" },
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data:; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=' 'sha256-4Z2xtr1B9QQugoojE/nbpOViG+8l2B7CZVlKgC78AeQ=' 'sha256-903UI9my1I7mqHoiVeZSc56yd50YoRJTB2269QqL76w=' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live https://challenges.cloudflare.com https://*.clerk.accounts.dev https://abacus.worldmonitor.app; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com https://webcams.windy.com https://challenges.cloudflare.com https://*.clerk.accounts.dev https://vercel.live https://*.vercel.app; frame-ancestors 'self' https://www.worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://worldmonitor.app https://vercel.live https://*.vercel.app; base-uri 'self'; object-src 'none'; form-action 'self'" }
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data:; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=' 'sha256-4Z2xtr1B9QQugoojE/nbpOViG+8l2B7CZVlKgC78AeQ=' 'sha256-903UI9my1I7mqHoiVeZSc56yd50YoRJTB2269QqL76w=' 'sha256-EytE6o1N8rwzpVFMrF+WvBZr2y5UhFLw79o1/4VqS0s=' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live https://challenges.cloudflare.com https://*.clerk.accounts.dev https://abacus.worldmonitor.app; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com https://webcams.windy.com https://challenges.cloudflare.com https://*.clerk.accounts.dev https://vercel.live https://*.vercel.app; frame-ancestors 'self' https://www.worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://worldmonitor.app https://vercel.live https://*.vercel.app; base-uri 'self'; object-src 'none'; form-action 'self' https://api.worldmonitor.app" }
]
},
{