Add `form-action` CSP directive (#23478)

* Add form-action CSP directive (#20781)

* Fix OAuth flow being broken by recent CSP change (#20958)

* Fix form-action CSP directive for external login (#20962)
pull/23493/head
Claire 2023-02-09 20:56:37 +01:00 committed by GitHub
parent da5d81c90d
commit e26dd2ea8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 0 deletions

View File

@ -12,6 +12,10 @@ class Auth::SessionsController < Devise::SessionsController
before_action :set_instance_presenter, only: [:new]
before_action :set_body_classes
content_security_policy only: :new do |p|
p.form_action(false)
end
def create
super do |resource|
# We only need to call this if this hasn't already been

View File

@ -7,6 +7,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
before_action :authenticate_resource_owner!
before_action :set_cache_headers
content_security_policy do |p|
p.form_action(false)
end
include Localized
private

View File

@ -26,6 +26,7 @@ Rails.application.config.content_security_policy do |p|
p.media_src :self, :https, :data, assets_host
p.frame_src :self, :https
p.manifest_src :self, assets_host
p.form_action :self
if Rails.env.development?
webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }