Ignore form action when doing oAuth2.

2025-01-03 20:57:19 -06:00 · 2019-01-27 17:15:40 +01:00 · 2019-01-27 17:15:40 +01:00 · 20b458f35d
commit 20b458f35d
parent cec8210d8b
1 changed files with 4 additions and 1 deletions
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@ -54,12 +54,15 @@ class SecureHeaders
            sprintf("script-src 'self' 'unsafe-eval' 'unsafe-inline' %s", $google),
            "style-src 'self' 'unsafe-inline'",
            "base-uri 'self'",
-            "form-action 'self'",
            "font-src 'self'",
            "connect-src 'self'",
            "img-src 'self' data: https://api.tiles.mapbox.com",
            "manifest-src 'self'",
        ];
+        $route = $request->route()->uri;
+        if($route !== 'oauth/authorize') {
+            $csp[] = "form-action 'self'";
+        }

        $featurePolicies = [
            "geolocation 'none'",