Provide a way for sites to pre-fill the openid login form
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Fix Released
|
Medium
|
François Marier |
Bug Description
Fedora Badges (https:/
<form method="POST" action="https:/
<input name="openid_
<input class="
</form>
which fails with a CSRF error message:
Forbidden (403)
CSRF verification failed. Request aborted.
because the CSRF token is missing from that request.
While we can't open this up completely, since that would enable login fixation, we could add a parameter on the OpenID login page to pre-fill the address in that form.
Changed in libravatar: | |
status: | Confirmed → Fix Released |
The easiest fix is probably to use "openid_identifier" for the parameter name and then change the Fedora Badges to a GET form action.
Patches can be sent here: https:/ /github. com/fedora- infra/tahrir