While investigating a login issue with HOT Tasking Manager, we discovered that this is not confined to our service alone. We suspect that all logins that use OSM OAuth and a popup window are failing. That includes (what we have found so far):
Services that don’t use a popup window to handle login appear to be unaffected.
Is anyone else experiencing this issue as well can can help us shed some light on the matter?
Related discussion in the comments of this commit
A vulnerability was discovered that required setting the Cross-Origin-Opener-Policy header. To undo the change would be to knowingly release software with a security problem that has been published.
Moving from a popup-based auth to a redirect-based auth should be the approach to follow for websites that are having this issue.
We have a PR in place for HOT’s Tasking Manager:
FYI there is a solution in the works at fix popup auth broken due to new COOP header by k-yle · Pull Request #138 · osmlab/osm-auth · GitHub for those the require the pop based flow
Thanks everyone for the investigation and fixes coming in. I posted a separate announcement topic for visibility, especially for anyone running their own instance of osm-website.
If anyone is using Rapid or a standalone instance of iD (such as the development preview) and got logged out in the last couple days, the osm-auth breakage has also prevented you from getting to the save screen. For now, you can follow these steps to log back in. (Just note that those steps are normally risky and you shouldn’t do that unless you understand the consequences.)
I just merged this fix and released osm-auth v3.0.0.
I tested with a local copy of Rapid and the authentication flow seems fixed when using the new version.
Fixes to both editors are now deployed.