Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

warehouse: Remove <form> on WebAuth provision #6546

Merged
merged 2 commits into from
Aug 29, 2019
Merged

warehouse: Remove <form> on WebAuth provision #6546

merged 2 commits into from
Aug 29, 2019

Conversation

woodruffw
Copy link
Member

<form> was introduced in #6524, but was causing some weird routing when submitted via the return key rather than a direct button press (probably because <form> defaults to GET). It's also unfortunately still nonfunctional with method="POST", since we still need to perform the relevant WebAuthn operations in JavaScript.

@woodruffw
warehouse: Remove <form> on WebAuth provision
a773120 
Add a keyevent for the label input.
@woodruffw
Copy link
Member Author

cc @di @nlhkabu

@di
Copy link
Member

di commented Aug 29, 2019

Is it possible to use onsubmit here instead?

@woodruffw
Copy link
Member Author

Is it possible to use onsubmit here instead?

I was under the impression that the CSP policy would block it, based on this script-src definition:

                "script-src": [
                    SELF,
                    "www.googletagmanager.com",
                    "www.google-analytics.com",
                    "*.fastly-insights.com",
                    "https://cdn.ravenjs.com",
                ],

But I'll give it a try locally!

@woodruffw
Copy link
Member Author

Yep, I get a CSP error when activating the form via onsubmit.

@nlhkabu
Copy link
Contributor

nlhkabu commented Aug 29, 2019

Why do we need the new JS here? Can we just revert adding the <form> tag for now?

@woodruffw
Copy link
Member Author

woodruffw commented Aug 29, 2019
edited
Loading

Why do we need the new JS here?

The JS handles the case where the user hits the return key on the label input. With <form> that caused an (incorrect) GET to the endpoint; with the JS it submits the POST correctly.

I could remove it and limit this PR to just the revert, but I think the non-<form> behavior without it is a little unintuitive (but also not strictly broken).

@nlhkabu
Copy link
Contributor

nlhkabu commented Aug 29, 2019

ok, thanks. I'll defer to @di for reviewing the JS. Once this is merged, I will reopen #6472

@woodruffw
warehouse: Drop JS changes
5196dca 
Will revisit in a future PR.
@nlhkabu nlhkabu merged commit ec451f7 into pypi:master Aug 29, 2019
@woodruffw woodruffw deleted the tob-webauthn-form-return branch August 29, 2019 20:17
This was referenced Mar 16, 2020
Open
Open
This was referenced Nov 17, 2020
Open
Open
This was referenced Mar 30, 2021
Open
Open
@snyk-bot snyk-bot mentioned this pull request Sep 16, 2021
Open
@snyk-bot snyk-bot mentioned this pull request Apr 7, 2022
Open
@Matthelonianxl Matthelonianxl mentioned this pull request May 13, 2022
Open
@UbuntuEvangelist UbuntuEvangelist mentioned this pull request May 14, 2022
Open
@Matthelonianxl Matthelonianxl mentioned this pull request Jun 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nlhkabu nlhkabu nlhkabu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @di @nlhkabu