While investigating a login issue with HOT Tasking Manager, we discovered that this is not confined to our service alone. We suspect that all logins that use OSM OAuth and a popup window are failing. That includes (what we have found so far):
Services that don’t use a popup window to handle login appear to be unaffected.
Is anyone else experiencing this issue as well can can help us shed some light on the matter?
Related discussion in the comments of this commit
A vulnerability was discovered that required setting the Cross-Origin-Opener-Policy header. To undo the change would be to knowingly release software with a security problem that has been published.
Moving from a popup-based auth to a redirect-based auth should be the approach to follow for websites that are having this issue.
We have a PR in place for HOT’s Tasking Manager:
FYI there is a solution in the works at fix popup auth broken due to new COOP header by k-yle · Pull Request #138 · osmlab/osm-auth · GitHub for those the require the pop based flow