Incorrect Content Security Policy when AWS SSO is active

[pixelfields]

Describe the issue

On the /accounts/login page, the CSP header sets form-action to 'self *.superdomain.com portal.sso.eu-central-1.amazonaws.com', if external aws auth provider is configured.

But if trying to sign in with the aws external provider, it's ending with the error:

Refused to send form data to 'https://sub-subdomain.subdomain.superdomain.com/accounts/login/saml/' because it violates the following Content Security Policy directive: "form-action 'self' *.superdomain.com portal.sso.eu-central-1.amazonaws.com".

I already tried

• I've read and searched the documentation.
• I've searched for similar filed issues in this repository.

Steps to reproduce the behavior

1. set up weblate and configure an aws external auth provider.
2. go to the login page and try to click the button for the external provider
3. If chrome: button does not work and a console error is logged; if safari: button works

Expected behavior

The browser should always follow the redirect to continue the login process with the external provider.

Screenshots

Exception traceback

How do you run Weblate?

Docker container

Weblate versions

• Weblate: 5.8.4
• Django: 5.1.3
• siphashc: 2.5
• translate-toolkit: 3.14.1
• lxml: 5.3.0
• pillow: 11.0.0
• nh3: 0.2.18
• python-dateutil: 2.9.0.post0
• social-auth-core: 4.5.4
• social-auth-app-django: 5.4.2
• django-crispy-forms: 2.3
• oauthlib: 3.2.2
• django-compressor: 4.5.1
• djangorestframework: 3.15.2
• django-filter: 24.3
• django-appconf: 1.0.6
• user-agents: 2.2.0
• filelock: 3.16.1
• RapidFuzz: 3.10.1
• openpyxl: 3.1.5
• celery: 5.4.0
• django-celery-beat: 2.7.0
• kombu: 5.4.2
• translation-finder: 2.19
• weblate-language-data: 2024.14
• html2text: 2024.2.26
• pycairo: 1.27.0
• PyGObject: 3.50.0
• diff-match-patch: 20241021
• requests: 2.32.3
• django-redis: 5.4.0
• hiredis: 3.0.0
• sentry-sdk: 2.18.0
• Cython: 3.0.11
• mistletoe: 1.4.0
• GitPython: 3.1.43
• borgbackup: 1.4.0
• pyparsing: 3.2.0
• ahocorasick_rs: 0.22.1
• python-redis-lock: 4.0.0
• charset-normalizer: 3.4.0
• cyrtranslit: 1.1.1
• drf-spectacular: 0.27.2
• Python: 3.12.7
• Git: 2.39.5
• psycopg: 3.2.3
• psycopg-binary: 3.2.3
• phply: 1.2.6
• ruamel.yaml: 0.18.6
• tesserocr: 2.7.1
• boto3: 1.35.65
• aeidon: 1.15
• iniparse: 0.5
• mysqlclient: 2.2.6
• google-cloud-translate: 3.18.0
• openai: 1.54.5
• Mercurial: 6.8.2
• git-svn: 2.39.5
• git-review: 2.4.0
• PostgreSQL server: 15.7
• Database backends: django.db.backends.postgresql
• PostgreSQL implementation: psycopg3 (binary)
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: email-smtp.eu-central-1.amazonaws.com
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://:weblate@weblate-redis-master:6379/1, redis://:weblate@weblate-redis-master:6379/1, regular
• Platform: Linux 5.10.226-214.880.amzn2.x86_64 (x86_64)

Weblate deploy checks

System check identified some issues:

INFOS:
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
        HINT: https://docs.weblate.org/en/weblate-5.8.4/admin/backup.html
?: (weblate.I031) New Weblate version is available, please upgrade to 5.9.2.
        HINT: https://docs.weblate.org/en/weblate-5.8.4/admin/upgrade.html

Additional context

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[nijel]

I am a bit lost in your setup. Is https://sub-subdomain.subdomain.superdomain.com/accounts/login/saml/ URL of Weblate? If so, it should be covered by the self directive. Or is that CSP from AWS? Weblate IMHO doesn't include any wildcard matches in that headers.

[pixelfields]

@nijel Sorry for a confusion, you're right. Again my apologies. We made a change in the configuration, just for trying to fix the issue somehow, because it doesn't work even with the default setting. Added this to try to solve it:

WEBLATE_CSP_FORM_SRC: "*.superdomain.com

Reverted the changes I made to show that it fails even with the default settings.

Our configuration for AWS SSO is as following:

 WEBLATE_ENABLE_HTTPS: "1"
 WEBLATE_REGISTRATION_ALLOW_BACKENDS: saml
 WEBLATE_REGISTRATION_OPEN: "1"
 WEBLATE_SAML_IDP_TITLE: AWS-SSO
 WEBLATE_SAML_ID_ATTR_EMAIL: email
 WEBLATE_SAML_ID_ATTR_NAME: full_name
 WEBLATE_SAML_ID_ATTR_USERNAME: username
 WEBLATE_SAML_ID_ATTR_USER_PERMANENT_ID: user_permanent_id

Again, my apologies for a confusion.

[nijel]

Can you please look into individual requests to see where the problematic one is coming from? SAML is doing many redirects on the way a the browsers are not really good in identifing the cause of this error (basically all chain has to be allowed in the CSP for all the redirects).

[pixelfields]

@nijel So looks like it works now. It needs *.awsapps.com to add to the CSP headers, because https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/ is trying to do a redirect to subdomain.awsapps.com.

So adding:

WEBLATE_CSP_FORM_SRC: "*.awsapps.com" as env variable fixed the issue.

The CSP header is now:

content-security-policy:
default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; script-src 'self'; connect-src 'self'; object-src 'none'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action *.awsapps.com portal.sso.eu-central-1.amazonaws.com 'self'; manifest-src 'self'

Maybe would be worth to add something related to the documentation, if it's not possible to add that header by default.

[nijel]

It should be possible to add automatically. What is your IDP_URL? Would what is implemented in #13753 work for you?

[github-actions]

Thank you for your report; the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.

[github-actions]

Thank you for your report; the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.

[pixelfields]

It should be possible to add automatically. What is your IDP_URL? Would what is implemented in #13753 work for you?

@nijel Looks good, thx for that! Also thank you for for a swift replies from your side!