Skip to content

Fix: form-action CSP blocked atproto login form submission (v0.4.2)#107

Merged
sergeychernyshev merged 2 commits into
mainfrom
fix/atproto-form-action-csp
Jun 29, 2026
Merged

Fix: form-action CSP blocked atproto login form submission (v0.4.2)#107
sergeychernyshev merged 2 commits into
mainfrom
fix/atproto-form-action-csp

Conversation

@sergeychernyshev

Copy link
Copy Markdown
Member

Regression in 0.4.1 — atproto login form does nothing

The hardened CSP added to the handle-entry form in #106 included form-action 'self', which silently breaks login.

Root cause

Submitting the handle form hits our /users/auth/atproto?handle=… endpoint, which immediately 302-redirects to the user's own authorization server (any PDS — bsky.social or self-hosted, cross-origin). form-action is enforced across the entire redirect chain, so 'self' rejects the submission and the browser does nothing.

This is exactly the reported symptom: navigating to the auth URL directly works (no form involved), but the form "doesn't send you there."

Reproduced in headless Chrome — the console shows:

Sending form data to '.../users/auth/atproto?handle=sergeyche.dev&return_url=%2F'
violates the following Content Security Policy directive: "form-action 'self'". The request has been blocked.

Fix

Remove the form-action directive from the handle form. It's fundamentally incompatible with a login form that must redirect to per-user auth servers. All other hardening stays: default-src 'none' (no scripts), frame-ancestors 'none', style-src 'self', nosniff, no-store. Added a regression test asserting the form CSP never carries form-action.

Verified

  • Drove the fixed form in headless Chrome against wrangler dev: submission now navigates to the auth endpoint with the handle and no CSP violation (localhost returns 400 only because bsky can't fetch a 127.0.0.1 client-metadata URL for PAR; on the live HTTPS demo it 302s to bsky).
  • tsc + eslint clean; full suite 129/129.

Bumps patch version to 0.4.2 (0.4.1 is live-broken).

🤖 Generated with Claude Code

sergeychernyshev and others added 2 commits June 28, 2026 22:35
The handle-entry form sets a strict CSP. The `form-action 'self'` directive
(added for defense-in-depth) silently broke login: submitting the form hits
our endpoint, which immediately 302-redirects to the user's own
authorization server (any PDS, cross-origin). `form-action` is enforced
across the entire redirect chain, so `'self'` blocks the submission and the
browser does nothing — exactly the "form doesn't send me there" symptom,
while navigating to the auth URL directly worked (no form-action involved).

Remove the `form-action` directive entirely — it is fundamentally
incompatible with a login form that must redirect to per-user auth servers.
The rest of the hardening (default-src 'none', no scripts, frame-ancestors,
nosniff, no-store, style-src 'self') stays. Add a regression test asserting
the form CSP never carries form-action.

Reproduced and verified the fix by driving the form in headless Chrome.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
startup-api 1ef82e6 Jun 29 2026, 02:36 AM

@sergeychernyshev sergeychernyshev merged commit ff1d380 into main Jun 29, 2026
2 checks passed
@sergeychernyshev sergeychernyshev deleted the fix/atproto-form-action-csp branch June 29, 2026 02:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant