OAuth2 redirection flows are intercepted and continued with wrong content type
Closed this issue · 3 comments
While the plugin continues to work here, in opposition to the observation from #168, and successfully takes over Firefox' native JSON rendering, it appears it also interferes with some OAuth2 redirection flows and does not allow them to complete sufficiently.
During the callback dance, some requests respond with JSON, and redirect to HTML pages afterwards. Unfortunately, Firefox will try to interpret those as JSON, when the plugin is left active.
This happened during local development and a dance between http://localhost:3000
and an OAuth2 provider on https
.
I scripted a tiny http server to demonstrate the problem:
https://gist.github.com/jonwolski/27f6b974474051b8ccd3440ff68dba54
It seems to arise when there is a content-type
on a redirect response. The subsequent response gets interpreted with the redirect response's content-type.
It doesn't even have to be OAuth2, but that is where I see this the most, though. My company's IdP server sends content-type: application/json
on the HTTP/2 302
redirect responses.
UPDATE:
I should mention that I experience this in 2.1.0
. From reading the code, it looks like #172 would fix this. I cannot tell if that has been released, and if so, what the release version is.
In fact, I'm pretty confident this is a duplicate of #172 (though this one came first :-) ). Also, the repro case on #173 is much simpler than mine. kudos, to @tlaundal
Yup I just haven't gotten around to releasing a new version
Published a new version. It's out for Firefox, still in review for Chrome