Remove form_action from CSP

This trips an issue when trying to authenticate through to
third-party sites, e.g. bridge.joinmastodon.org:

    Refused to send form data to 'https://bridge.joinmastodon.org/'
    because it violates the following Content Security Policy
    directive: "form-action 'self'".

Thread: https://vulpine.club/@digifox/101230933751352042

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 1617ad1c1191b1606e2d1822cad77eaf863e5e96..12b764a5a8a2e89076ac28b8d02af97591f8ec17 100644 (file)
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -28,7 +28,6 @@ if Rails.env.production?
     p.worker_src      :self, assets_host
     p.connect_src     :self, :blob, Rails.configuration.x.streaming_api_base_url, *data_hosts
     p.manifest_src    :self, assets_host
-    p.form_action     :self
   end
 end