From e26dd2ea8f2e911448578f5bc7a00ea877e3b668 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Thu, 9 Feb 2023 20:56:37 +0100
Subject: [PATCH] Add `form-action` CSP directive (#23478)

* Add form-action CSP directive (#20781)

* Fix OAuth flow being broken by recent CSP change (#20958)

* Fix form-action CSP directive for external login (#20962)
---
 app/controllers/auth/sessions_controller.rb        | 4 ++++
 app/controllers/oauth/authorizations_controller.rb | 4 ++++
 config/initializers/content_security_policy.rb     | 1 +
 3 files changed, 9 insertions(+)

diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index c4c8151e33..656e80e023 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -12,6 +12,10 @@ class Auth::SessionsController < Devise::SessionsController
   before_action :set_instance_presenter, only: [:new]
   before_action :set_body_classes
 
+  content_security_policy only: :new do |p|
+    p.form_action(false)
+  end
+
   def create
     super do |resource|
       # We only need to call this if this hasn't already been
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index bb5d639ced..bddf15eb53 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -7,6 +7,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   before_action :authenticate_resource_owner!
   before_action :set_cache_headers
 
+  content_security_policy do |p|
+    p.form_action(false)
+  end
+
   include Localized
 
   private
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index c113b0f8b9..6d896e6c1a 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -26,6 +26,7 @@ Rails.application.config.content_security_policy do |p|
   p.media_src       :self, :https, :data, assets_host
   p.frame_src       :self, :https
   p.manifest_src    :self, assets_host
+  p.form_action     :self
 
   if Rails.env.development?
     webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }