Commit b111e43a authored by ale's avatar ale

Drop form-action from CSP

Apparently this is applied even after the redirect, so we can't use it.
parent 81b8bd24
Pipeline #6715 passed with stages
in 3 minutes and 21 seconds
......@@ -30,11 +30,11 @@ import (
)
// A relatively strict CSP.
const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
// Slightly looser CSP for the logout page: it needs to load remote
// images.
const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; base-uri 'none';"
// Returns the URL of the login handler on the target service.
func serviceLoginCallback(service, destination, token string) string {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment