Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: enrollment overlay in Django 4.0.x #793

Merged
merged 2 commits into from
Jul 18, 2022
Merged

Fix: enrollment overlay in Django 4.0.x #793

merged 2 commits into from
Jul 18, 2022

Conversation

angela-tran
Copy link
Member

@angela-tran angela-tran commented Jul 18, 2022
edited
Loading

Closes #283

Summary

This PR sets SECURE_CROSS_ORIGIN_OPENER_POLICY to same-origin-allow-popups, which is the most secure option that still allows the overlay to work.

This setting was introduced in Django 4.0.x and by default, sets the Cross-Origin-Opener-Policy header to same-origin, which prevents cross-origin popups from accessing their opener's browsing context. Prior to Django 4.0.x, the header was unset.

If you look through the Javascript of our enrollment overlay, you'll notice that it makes use of Window.postMessage() to communicate with the Benefits window and needs to be able to store some variables on that window. So, it makes sense that this header value breaks it, since with it,

the window.opener property of the new window will be null

Other notes

@angela-tran angela-tran requested a review from a team as a code owner July 18, 2022 16:35
@angela-tran angela-tran self-assigned this Jul 18, 2022
@github-actions github-actions bot added back-end Django views, sessions, middleware, models, migrations etc. deployment-dev [auto] Changes that will trigger a deploy if merged to dev labels Jul 18, 2022
afeld
afeld previously approved these changes Jul 18, 2022
View reviewed changes
benefits/settings.py Show resolved Hide resolved
@afeld
Copy link
Contributor

afeld commented Jul 18, 2022

Noting that this branch (and dev) is still on Django 3.2, so this setting won't have an effect.

@angela-tran angela-tran force-pushed the fix/overlay-with-django-4 branch from a7dec6c to 1dfb5cc Compare July 18, 2022 20:16
@angela-tran angela-tran force-pushed the fix/overlay-with-django-4 branch from 1dfb5cc to 9ed26ad Compare July 18, 2022 20:19
afeld
afeld approved these changes Jul 18, 2022
View reviewed changes
Copy link
Contributor

@afeld afeld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, that's really all the changes that are needed to upgrade to Django 4? Were you able to test the application end to end to verify nothing else in the success path is broken?

@angela-tran
Copy link
Member Author

Wow, that's really all the changes that are needed to upgrade to Django 4? Were you able to test the application end to end to verify nothing else in the success path is broken?

Yep, tested the success path end-to-end.

image

A lot of the work had already been done in #256 and #268.
When we reverted back down to 3.2.x in #285, we didn't undo those changes.

thekaveman
thekaveman approved these changes Jul 18, 2022
View reviewed changes
Copy link
Member

@thekaveman thekaveman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work on this @angela-tran!! 🔎 🐛 💥

I tested the end-to-end flow locally and it all worked ✅

@angela-tran angela-tran merged commit 3733404 into dev Jul 18, 2022
@angela-tran angela-tran deleted the fix/overlay-with-django-4 branch July 18, 2022 22:16
@angela-tran angela-tran mentioned this pull request Jul 18, 2022
Merged
@afeld
Copy link
Contributor

afeld commented Jul 20, 2022

Shared your discovery: krakenjs/post-robot#84

@machikoyasuda
Copy link
Member

Yesssss 👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thekaveman thekaveman thekaveman approved these changes

@afeld afeld afeld approved these changes

Assignees

@angela-tran angela-tran

Labels
back-end Django views, sessions, middleware, models, migrations etc. deployment-dev [auto] Changes that will trigger a deploy if merged to dev
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Django 4.0.x breaks enrollment overlay
4 participants
@angela-tran @afeld @machikoyasuda @thekaveman