Drop form-action from CSP

Apparently this is applied even after the redirect, so we can't use it.

Drop form-action from CSP
Apparently this is applied even after the redirect, so we can't use it.
b111e43a · ale · 81b8bd24 · b111e43a
Commit b111e43a authored May 06, 2020 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

server/http.go server/http.go +2 -2

No files found.
--- a/server/http.go
+++ b/server/http.go
@@ -30,11 +30,11 @@ import (
 )

 // A relatively strict CSP.
-const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
+const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"

 // Slightly looser CSP for the logout page: it needs to load remote
 // images.
-const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
+const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; base-uri 'none';"

 // Returns the URL of the login handler on the target service.
 func serviceLoginCallback(service, destination, token string) string {