Merge pull request #98 from nextcloud/fix/safari-form-action

nextcloud · Apr 3, 2024 · 0b21861 · 0b21861
2 parents 7bcc08f + 510e429
commit 0b21861
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/lib/Controller/PasswordController.php b/lib/Controller/PasswordController.php
@@ -27,6 +27,7 @@
 
 use OC\Authentication\Token\IProvider;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IConfig;
@@ -195,7 +196,6 @@ public function submitPassword(string $token, string $email, string $password, s
 		if ($ocsapirequest === '1') {
 			$clientName = $this->getClientName();
 			$redirectUri = $this->generateAppPassword($email, $clientName);
-
 			return new RedirectResponse($redirectUri);
 		}
 
@@ -220,17 +220,27 @@ public function submitPassword(string $token, string $email, string $password, s
 	 * @return TemplateResponse
 	 */
 	protected function generateTemplate(string $token, string $email, string $error = '', bool $ocs = false) {
-		return new TemplateResponse(
+		$response = new TemplateResponse(
 			$this->appName,
 			'password-public',
 			array(
-				'link' => $this->urlGenerator->linkToRouteAbsolute($this->appName . '.password.submit_password', array('token' => $token)),
+				'link' => $this->urlGenerator->linkToRoute($this->appName . '.password.submit_password', array('token' => $token)),
 				'email' => $email,
 				'ocsapirequest' => $this->request->getHeader('OCS-APIREQUEST') || $ocs,
 				'error' => $error
 			),
 			'guest'
 		);
+
+		if ($ocs) {
+			// We need to set the CSP header to allow the redirect to the Nextcloud client
+			// some browsers (e.g. Safari) seems to block the redirect if the CSP header is not set.
+			$csp = new ContentSecurityPolicy();
+			$csp->addAllowedFormActionDomain('nc://*');
+			$response->setContentSecurityPolicy($csp);
+		}
+
+		return $response;
 	}
 
 	/**