opencollective icon indicating copy to clipboard operation
opencollective copied to clipboard
verified publisher icon opencollective

Let collectives configure a trusted domain for the contribution flow redirect

Open Betree opened this issue 3 years ago • 2 comments

Collectives can pass a redirect URL parameter to the contribution flow (including in its embedded version) to implement a custom "Success" page.

This redirect is currently protected by our pages/external-redirect.js mechanism, which means that unless we explicitly add their domain to the trusted domains list they'll get a scary confirmation message before the redirect actually happens.

There are a few issues with that:

  • We don't want to hardcode all these domains in our code
  • Editing the code manually is not easily maintainable/scalable (needs an engineer intervention)
  • Adding/revoking a URL requires a merge & deploy
  • Trusted domains are per-account, not global: it's ok to redirect to https://webpack.js.org if you're Webpack, not if you're Babel

Solution

On /:account/admin/advanced (or /:account/admin/export if we rename it to "Widget"?), add a Trusted redirect domain where collective admins can set a valid redirect URL for their account. This URL should be inherited by children's projects & events.

MVP

Hardcode the flag in collective.settings.contributions.trustedRedirectDomain, but do not implement a real editing UI yet.

Related / alternative

For embedded: https://github.com/opencollective/opencollective/issues/4341

Betree avatar Jan 05 '23 12:01 Betree

This redirect is currently protected by our pages/external-redirect.js mechanism, which means that unless we explicitly add their domain to the trusted domains list they'll get a scary confirmation message before the redirect actually happens.

I've been working with a Indico plugin that integrates Open Collective as payment method and wondering why redirect bakc to Indico is not working. And this seems to be the reason.

Were there any progress since this issue was created? I think it would be helpful for many collective folks who want to integrate OpenCollective with thier webaite.

sukso96100 avatar Oct 08 '24 07:10 sukso96100

This redirect is currently protected by our pages/external-redirect.js mechanism, which means that unless we explicitly add their domain to the trusted domains list they'll get a scary confirmation message before the redirect actually happens.

I've been working with a Indico plugin that integrates Open Collective as payment method and wondering why redirect bakc to Indico is not working. And this seems to be the reason.

Were there any progress since this issue was created? I think it would be helpful for many collective folks who want to integrate OpenCollective with thier webaite.

Hi @sukso96100, not yet but we can look into safe listing your domain if you share it here along with the collective you want to enable it for.

Betree avatar Oct 16 '24 08:10 Betree

This would be great to have for https://funds.ecosyste.ms/ as well

andrew avatar Feb 24 '25 14:02 andrew