mirror of https://github.com/tootsuite/mastodon
Add `form-action` CSP directive (#23478)
* Add form-action CSP directive (#20781) * Fix OAuth flow being broken by recent CSP change (#20958) * Fix form-action CSP directive for external login (#20962)pull/23493/head
parent
da5d81c90d
commit
e26dd2ea8f
|
@ -12,6 +12,10 @@ class Auth::SessionsController < Devise::SessionsController
|
|||
before_action :set_instance_presenter, only: [:new]
|
||||
before_action :set_body_classes
|
||||
|
||||
content_security_policy only: :new do |p|
|
||||
p.form_action(false)
|
||||
end
|
||||
|
||||
def create
|
||||
super do |resource|
|
||||
# We only need to call this if this hasn't already been
|
||||
|
|
|
@ -7,6 +7,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
|
|||
before_action :authenticate_resource_owner!
|
||||
before_action :set_cache_headers
|
||||
|
||||
content_security_policy do |p|
|
||||
p.form_action(false)
|
||||
end
|
||||
|
||||
include Localized
|
||||
|
||||
private
|
||||
|
|
|
@ -26,6 +26,7 @@ Rails.application.config.content_security_policy do |p|
|
|||
p.media_src :self, :https, :data, assets_host
|
||||
p.frame_src :self, :https
|
||||
p.manifest_src :self, assets_host
|
||||
p.form_action :self
|
||||
|
||||
if Rails.env.development?
|
||||
webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
|
||||
|
|
Loading…
Reference in New Issue