From 35b2ba5030dd7fb5ddbb8cb34d0fd54cec8cf269 Mon Sep 17 00:00:00 2001 From: Rey Tucker Date: Wed, 12 Dec 2018 19:58:57 -0500 Subject: [PATCH] Remove form_action from CSP This trips an issue when trying to authenticate through to third-party sites, e.g. bridge.joinmastodon.org: Refused to send form data to 'https://bridge.joinmastodon.org/' because it violates the following Content Security Policy directive: "form-action 'self'". Thread: https://vulpine.club/@digifox/101230933751352042 --- config/initializers/content_security_policy.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 1617ad1c11..12b764a5a8 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -28,7 +28,6 @@ if Rails.env.production? p.worker_src :self, assets_host p.connect_src :self, :blob, Rails.configuration.x.streaming_api_base_url, *data_hosts p.manifest_src :self, assets_host - p.form_action :self end end