From 7fabd9d17f29d3bbbc40e8c31c1e33a2a8875464 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@jhass.eu>
Date: Tue, 20 Oct 2020 17:06:23 +0200
Subject: [PATCH] OpenID Connect: Disable form-action CSP on authorization page

Some browsers apply this CSP rules even to the redirect response
after the POST requests, blocking the redirect_uri redirect
---
 app/controllers/api/openid_connect/authorizations_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb
index 555a718b3..46c08dea0 100644
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@@ -120,6 +120,7 @@ module Api
         @scopes = endpoint.scopes
         save_request_parameters
         @app = UserApplicationPresenter.new @o_auth_application, @scopes
+        override_content_security_policy_directives(form_action: %w[])
         render :new
       end