Can't log in to oss-fuzz.com with Safari/macOS

[nwellnhof]

When trying to log in to oss-fuzz.com with my Google account using Safari on macOS, I'm only seeing a box with a loading animation and nothing happens.

Safari Version 16.0 (17614.1.25.9.10, 17614)
macOS Monterey 12.6

[oliverchang]

Hmm, this works for me on Chrome across various platforms. Do you see anything in the console log output?

@alan32liu @Navidem do any of you have a macOS device to test this?

[nwellnhof]

Here's what I see on the console:

[Info] Successfully preconnected to https://fonts.gstatic.com/
[Error] Failed to load resource: the server responded with a status of 404 () (webcomponents-lite.js.map, line 0)
[Error] Failed to load resource: the server responded with a status of 404 () (apply-shim.min.js.map, line 0)
[Error] Failed to load resource: the server responded with a status of 404 () (custom-style-interface.min.js.map, line 0)
[Error] Refused to load data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIj8+Cjxzdmcgd2lkdGg9IjEyIiBoZWlnaHQ9IjQiIHZpZXdQb3J0PSIwIDAgMTIgNCIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxlbGxpcHNlIGN4PSIyIiBjeT0iMiIgcng9IjIiIHJ5PSIyIj4KICAgIDxhbmltYXRlIGF0dHJpYnV0ZU5hbWU9ImN4IiBmcm9tPSIyIiB0bz0iLTEwIiBkdXI9IjAuNnMiIHJlcGVhdENvdW50PSJpbmRlZmluaXRlIiAvPgogIDwvZWxsaXBzZT4KICA8ZWxsaXBzZSBjeD0iMTQiIGN5PSIyIiByeD0iMiIgcnk9IjIiIGNsYXNzPSJsb2FkZXIiPgogICAgPGFuaW1hdGUgYXR0cmlidXRlTmFtZT0iY3giIGZyb209IjE0IiB0bz0iMiIgZHVyPSIwLjZzIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgLz4KICA8L2VsbGlwc2U+Cjwvc3ZnPgo= because it does not appear in the img-src directive of the Content Security Policy.
[Error] Failed to load resource: the server responded with a status of 403 () (report-csp-failure, line 0)
[Error] Unhandled Promise Rejection: TypeError: Right side of assignment cannot be destructured
(anonymous function)
rejectPromise
promiseReactionJob

[DonggeLiu]

Yep, it works on Chrome but not on Safari because of the same error.
I've tried logging in with my GitHub account and Google account, but both of them failed for the same reason.
Also tried logging in in the private/incognito mode, which did not work either.

[DonggeLiu]

I guess this relates to login failures?
Clicking on the side menu items (e.g., Testcases, Fuzzer Statistics, etc.) brought me back to the sign-in page (to choose whether to sign in with Google or GitHub account).

[marka63]

Same behaviour with Safari Version 16.0 (16614.1.25.9.10, 16614) on BigSur 11.7

[oliverchang]

@alan32liu or @Navidem can one of you help with this some time soon?

Per #2818 (comment) this is likely related to a missing CSP rule which we set up here: https://github.com/google/clusterfuzz/blob/1be95bd84e0868495a2b3c835b18577b2ae3e0e2/src/appengine/libs/csp.py

I don't have a macOS machine to debug this sadly.

[nwellnhof]

Maybe you have to add builder.add('img-src', 'data:')? But why is this only an issue with Safari?

[oliverchang]

@Navidem can you please help with this? I'm not sure why this is only an issue on Safari.

[Navidem]

@Navidem can you please help with this? I'm not sure why this is only an issue on Safari.

Sure, I will.

[Navidem]

I can confirm adding builder.add('img-src', 'data:') makes the CSP error disappear, but login issue persists.

[oliverchang]

@Navidem can you check if the workaround in firebase/firebaseui-web#977 (comment) works?

[Navidem]

firebase/firebaseui-web#977 (comment)

The solution did not help: at the time of login, a popup appears to select account but the console log show following error and UI returns back to the login page:

[Error] Unhandled Promise Rejection: TypeError: Right side of assignment cannot be destructured
	(anonymous function) (firebase-auth-compat.js:1:86987)
	asyncFunctionResume
	sendToConsumer (firebase-auth-compat.js:1:92175)
	(anonymous function) (firebase-auth-compat.js:1:91705)
	forEach
	onEvent (firebase-auth-compat.js:1:91645)
	(anonymous function) (firebase-auth-compat.js:1:98111)
	mm (cb=gapi.loaded_0:269:97)
	(anonymous function) (cb=gapi.loaded_0:269:268)
	Ek (cb=gapi.loaded_0:246:313)
	Nk (cb=gapi.loaded_0:246:475)
	hk (cb=gapi.loaded_0:247)
	(anonymous function) (cb=gapi.loaded_0:240:374)
	(anonymous function)

[jonathanmetzman]

CC @Byron

[jonathanmetzman]

I suspect we won't fix this soon. Maybe we should put a banner up asking people to use chrome or firefox?

[oliverchang]

Hmm, looking at https://firebase.google.com/docs/auth/web/redirect-best-practices, this might actually be easier to solve than expected if we just use https://firebase.google.com/docs/auth/web/redirect-best-practices#update-authdomain

[oliverchang]

Oh actually, we don't fit "If you host your app with Firebase Hosting on a custom domain or a subdomain of web.app, use Option 1.".

We'll need to go with Options 2, 3, 4, 5 instead. The best ones for us looks like 2 or 3.

[hogo6002]

Fixed. It's able to log in to oss-fuzz.com with Safari/macOS now.