-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webauthn script not loaded on localhost due to Content Security Policy violation #355
Comments
Thank you for reporting us your feedback! The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-1187.
|
This is expected to happen because the policy on https://github.com/canonical/identity-platform-login-ui/blob/main/pkg/ui/handlers.go#L38 defines that content should only be fetched from IMO there are 2 ways to fix this:
|
Thanks a lot for the analysis @nsklikas, that seems to be the reason because the passwordless login is only broken with localhost but works on PS6 with v0.18.1 deployed. As a temporary workaround, this line can be commented out while testing webauthn on localhost. @edlerd could you address these 2 points?
|
The CSP is backend controlled, the frontend can't possibly change it. @BarcoMasile can you come up with a good solution? I would advise not to deactivate the CSP, that seems like a security risk to me.
If I remember correctly, the kratos passkeys implementation depends on using |
Maybe the easiest way forward is to adjust the dev setup to use a proxy in the same way production does. This has the advantage of developing and testing on an infrastructure that is much more like the real deployment. |
We don't want to fully deactivate it, just loosen for localhost for dev and testing purposes, perhaps as a config option.
I don't recall that, passkeys support was added before the security policy was introduced in #299.
That could be a solution, but I'm not sure we want to add another piece to the dev setup. We'll discuss that. |
@edlerd @natalian98 @nsklikas |
Though this is an easy fix, I see the downside of leaking complexity from the development environment into production code. |
Had some time to check the details on this today. We do not use TL;DR: I think we can remove |
The passwordless login method is broken in the latest login ui version.
To reproduce:
Due to this error, the webauthn.js script is not loaded and the QR code pop-up is not shown.
This seems to be caused by #299 (I tried removing the changes it introduced and the script was loaded correctly).
The text was updated successfully, but these errors were encountered: