fix: handle COOP policy blocking OAuth popup window.close()#107
Closed
glebedel wants to merge 1 commit intoStackOneHQ:mainfrom
Closed
fix: handle COOP policy blocking OAuth popup window.close()#107glebedel wants to merge 1 commit intoStackOneHQ:mainfrom
glebedel wants to merge 1 commit intoStackOneHQ:mainfrom
Conversation
When the OAuth redirect page (e.g. app.stackone.com/embedded/accounts/callback) sets Cross-Origin-Opener-Policy: same-origin, the opener page loses the ability to call .close() on the popup window reference. This caused a browser error: 'Cross-Origin-Opener-Policy policy would block the window.close call.' The Hub's state was already updated correctly before the close() attempt, so wrapping the call in try/catch is sufficient: the popup will close itself via window.close() on the callback page, or the user can close it manually. Fixes both processMessageCallback and handleOAuthResultFromAnyChannel.
Contributor
Author
|
Closing — the same fix was already shipped in 0.12.9 via #103 (useMemo-based allowedOrigins). The only change needed in pa-agent was removing the app-url override, which has been done separately. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When the Hub is embedded in a third-party app (e.g.
pa-agent.stackone.space), the host app may setapp-urlto its own domain. The OAuth callback URL becomes<host-app-origin>/embedded/accounts/callback— a page that doesn't exist, so the OAuth popup has nowhere to land.Even if the host app omits
app-url(using the defaulthttps://app.stackone.com), theprocessMessageCallbackorigin check was too strict:When the popup lands on
app.stackone.com/embedded/accounts/callbackand sends apostMessageback to the opener, the message origin isapp.stackone.com. Sincewindow.location.originis the host app's domain (e.g.pa-agent.stackone.space), this check rejects every message — the OAuth flow never completes.The previous fix (try-catch around
popup.close()) only hid the symptom (COOP blockingclose()). The root cause is that the message was never received in the first place.Fix
Expand the origin allowlist to include both:
window.location.origin— existing same-origin embedding behaviornew URL(dashboardUrl).origin— the OAuth callback origin when Hub uses its defaultapp.stackone.comInvalid
dashboardUrlvalues are caught and skipped so the fix is backwards-compatible.How to test
Embed
<StackOneHub>(or<stackone-hub>) in an app on a different domain (e.g.localhost:3000or a staging domain). Withoutapp-urloverride, click Connect on a GitHub integration → OAuth popup opens → complete OAuth → popup closes and Hub shows success state.