Feedback broken: Content Security Policy violated

[johnjohndoe]

I tried to give feedback to https://fosdem.org/2024/schedule/event/fosdem-2024-3472-switching-the-fosdem-conference-management-system-to-pretalx/

This fails and the following error message pops up in the browser dev console:

Refused to send form data to 'https://pretalx.fosdem.org/fosdem-2024/talk/AC7NNS/feedback/' because it violates the following Content Security Policy directive: "form-action 'self'".

Brave Version 1.62.162 Chromium: 121.0.6167.164 (Official Build) (64-bit)

[johanvdw]

Thanks for the report!
The good news: the feedback was reported it seems.
This must be related to my last changes (making the feedback visible to the speakers).

[johanvdw]

The issue seems to stem from the redirect after the submission happened. Chrome will not do that, firefox will. In both cases data is recorded.

Can the form-action redirect to another url?

This question is currently debated, and as a result browser vendors have different implementations regarding what happens when a form is redirected to a different url.

Form data can be sent to the redirected url if the HTTP status code is 307 or 308, which makes the redirect potentially sensitive.

Currently Firefox allows the redirect, while Chrome and Safari will block them.

from https://content-security-policy.com/form-action/

so we should probably allow also https://fosdem.org in form-action

[johanvdw]

This was now solved by adding to pretalx.cfg

csp_form='self',https://fosdem.org

Not yet closing the issue because I did that outside ansible

[johanvdw]

This must be related to my last changes (making the feedback visible to the speakers).

That was likely not the case, I only tested using firefox, so probably this was like that from the start.