summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--core/Controller/ClientFlowLoginController.php12
-rw-r--r--tests/Core/Controller/ClientFlowLoginControllerTest.php3
2 files changed, 12 insertions, 3 deletions
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index f049f282ce8..bffedf19224 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -196,7 +196,11 @@ class ClientFlowLoginController extends Controller {
$this->session->set(self::stateName, $stateToken);
$csp = new Http\ContentSecurityPolicy();
- $csp->addAllowedFormActionDomain('nc://*');
+ if ($client) {
+ $csp->addAllowedFormActionDomain($client->getRedirectUri());
+ } else {
+ $csp->addAllowedFormActionDomain('nc://*');
+ }
$response = new StandaloneTemplateResponse(
$this->appName,
@@ -241,7 +245,11 @@ class ClientFlowLoginController extends Controller {
}
$csp = new Http\ContentSecurityPolicy();
- $csp->addAllowedFormActionDomain('nc://*');
+ if ($client) {
+ $csp->addAllowedFormActionDomain($client->getRedirectUri());
+ } else {
+ $csp->addAllowedFormActionDomain('nc://*');
+ }
$response = new StandaloneTemplateResponse(
$this->appName,
diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php
index f35b616a68e..50280e18371 100644
--- a/tests/Core/Controller/ClientFlowLoginControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php
@@ -200,6 +200,7 @@ class ClientFlowLoginControllerTest extends TestCase {
->willReturn('Mac OS X Sync Client');
$client = new Client();
$client->setName('My external service');
+ $client->setRedirectUri('https://example.com/redirect.php');
$this->clientMapper
->expects($this->once())
->method('getByIdentifier')
@@ -249,7 +250,7 @@ class ClientFlowLoginControllerTest extends TestCase {
'guest'
);
$csp = new Http\ContentSecurityPolicy();
- $csp->addAllowedFormActionDomain('nc://*');
+ $csp->addAllowedFormActionDomain('https://example.com/redirect.php');
$expected->setContentSecurityPolicy($csp);
$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier'));
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-01 00:10:14 +0000