refactor: removed inline script from form post html

rubenvanrooij · web-flow · commit 9270b613b391 · 2020-05-11T13:52:20.000+02:00
This accommodates the ability to whitelist form post in a CSP policy. See #716
diff --git a/lib/response_modes/form_post.js b/lib/response_modes/form_post.js
@@ -16,8 +16,11 @@ module.exports = function formPost(ctx, action, inputs) {
   ctx.body = `<!DOCTYPE html>
 <head>
   <title>Submitting Callback</title>
+  <script>
+    document.addEventListener('DOMContentLoaded', function () { document.forms[0].submit() });
+  </script>
 </head>
-<body onload="javascript:document.forms[0].submit()">
+<body>
   <form method="post" action="${action}">
     ${formInputs}
     <noscript>
diff --git a/test/device_code/code_verification_endpoint.test.js b/test/device_code/code_verification_endpoint.test.js
@@ -31,7 +31,7 @@ describe('GET code_verification endpoint', () => {
         .query({ user_code: '123-456-789' })
         .expect(200)
         .expect('content-type', 'text/html; charset=utf-8')
-        .expect(/<body onload="javascript:document\.forms\[0]\.submit\(\)"/)
+        .expect(/document.addEventListener\('DOMContentLoaded', function \(\) { document.forms\[0\].submit\(\) }\);/)
         .expect(({ text }) => {
           ({ state: { secret } } = this.getSession());
           expect(text).to.match(new RegExp(`input type="hidden" name="xsrf" value="${secret}"`));
diff --git a/test/device_code/device_resume.test.js b/test/device_code/device_resume.test.js
@@ -375,7 +375,7 @@ describe('device interaction resume /device/:user_code/:uid/', () => {
         await this.agent.get(path)
           .expect(200)
           .expect('content-type', 'text/html; charset=utf-8')
-          .expect(/<body onload="javascript:document\.forms\[0]\.submit\(\)"/)
+          .expect(/document.addEventListener\('DOMContentLoaded', function \(\) { document.forms\[0\].submit\(\) }\);/)
           .expect(/<input type="hidden" name="logout" value="yes"\/>/)
           .expect(({ text }) => {
             ({ state } = this.getSession());
diff --git a/test/interaction/interaction.test.js b/test/interaction/interaction.test.js
@@ -512,7 +512,7 @@ describe('resume after consent', () => {
       await this.agent.get('/auth/resume')
         .expect(200)
         .expect('content-type', 'text/html; charset=utf-8')
-        .expect(/<body onload="javascript:document\.forms\[0]\.submit\(\)"/)
+        .expect(/document.addEventListener\('DOMContentLoaded', function \(\) { document.forms\[0\].submit\(\) }\);/)
         .expect(/<input type="hidden" name="logout" value="yes"\/>/)
         .expect(({ text }) => {
           ({ state } = this.getSession());
