@startup-api/cloudflare 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@startup-api/cloudflare",
3
- "version": "0.4.1",
3
+ "version": "0.4.2",
4
4
  "license": "Apache-2.0",
5
5
  "publishConfig": {
6
6
  "access": "public"
@@ -304,10 +304,12 @@ export class AtprotoProvider extends OAuthProvider {
304
304
  status,
305
305
  headers: {
306
306
  'Content-Type': 'text/html; charset=utf-8',
307
- // Same hardening as the auth error page: only same-origin styles/form, never framed, never cached
308
- // (the re-rendered form reflects the user-supplied handle).
309
- 'Content-Security-Policy':
310
- "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'none'; frame-ancestors 'none'",
307
+ // Hardening: same-origin styles only, never framed, never cached (the form reflects the
308
+ // user-supplied handle). NOTE: deliberately NO `form-action` directive — submitting this form
309
+ // hits our endpoint, which 302-redirects to the user's *own* authorization server (any PDS).
310
+ // `form-action` is enforced across the whole redirect chain, so `'self'` (or any fixed list)
311
+ // would block that cross-origin redirect and the login would silently fail.
312
+ 'Content-Security-Policy': "default-src 'none'; style-src 'self' 'unsafe-inline'; base-uri 'none'; frame-ancestors 'none'",
311
313
  'X-Content-Type-Options': 'nosniff',
312
314
  'Referrer-Policy': 'no-referrer',
313
315
  'Cache-Control': 'no-store',