diff --git a/api/app/settings/common.py b/api/app/settings/common.py index c1b0d2096371..ee76139d98d8 100644 --- a/api/app/settings/common.py +++ b/api/app/settings/common.py @@ -543,6 +543,7 @@ SECURE_REDIRECT_EXEMPT = env.list("DJANGO_SECURE_REDIRECT_EXEMPT", default=[]) SECURE_REFERRER_POLICY = env.str("DJANGO_SECURE_REFERRER_POLICY", default="same-origin") +SECURE_CROSS_ORIGIN_OPENER_POLICY = env.str("DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin") SECURE_SSL_HOST = env.str("DJANGO_SECURE_SSL_HOST", default=None) SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=False) diff --git a/docker-compose.yml b/docker-compose.yml index 7eb99a893ff6..2c25b4032850 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,6 +42,10 @@ services: # Enable Task Processor TASK_RUN_METHOD: TASK_PROCESSOR # other options are: SYNCHRONOUSLY, SEPARATE_THREAD (default) + # Uncomment if you want to enable Google OAuth. Note this does not turn Google OAuth on. You still need to use + # Flagsmith on Flagsmith to enable it - https://docs.flagsmith.com/deployment/#oauth_google + # DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY: 'same-origin-allow-popups' + # For more info on configuring E-Mails - https://docs.flagsmith.com/deployment/locally-api#environment-variables # Example SMTP: # EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend diff --git a/docs/docs/deployment/index.md b/docs/docs/deployment/index.md index 9d10f26a91f1..fb86659c99f8 100644 --- a/docs/docs/deployment/index.md +++ b/docs/docs/deployment/index.md @@ -566,6 +566,17 @@ Create an OAuth application in the Google Developer Console and then provide the } ``` +If you are using the [unified Docker image](https://hub.docker.com/repository/docker/flagsmith/flagsmith), which serves +both the API and the frontend through Django, ensure you configure the following environment variable in your +deployment: + +``` +DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY=same-origin-allow-popups +``` + +For those hosting the frontend independently, make sure you set the `Cross-Origin-Opener-Policy` to +`same-origin-allow-popups` for Google OAuth flow to work. + ### Dark Mode We also have a Segment that manages the ui Dark Mode: