Remove form-action 'self' from CSP default configuration

This setting breaks Single Sign On as it prevents the forms to submit to an external site, which is exactly what the login form does when SSO is enabled. Closes-Bug: #2138262 Change-Id: Ia0e9df362b1ccc4c797a6cfe0f6d10a660f7c924 Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com> (cherry picked from commit 40a8e74626)
2026-01-12 19:02:26 -03:00
parent 6a422e3998
commit bd8a62cde5
2 changed files with 5 additions and 5 deletions
--- a/config.yaml
+++ b/config.yaml
@@ -315,7 +315,7 @@ options:
      enforce-ssl option must be true.
  csp-options:
    type: string
-    default: "frame-ancestors 'self'; form-action 'self';"
+    default: "frame-ancestors 'self';"
    description: |
      Options for the CSP (Content Security Policy) header. This header allows to
      control which resources the user agent is allowed to load. For more details
--- a/unit_tests/test_horizon_contexts.py
+++ b/unit_tests/test_horizon_contexts.py
@@ -79,7 +79,7 @@ class TestHorizonContexts(CharmTestCase):
            {'http_port': 70, 'https_port': 433,
             'enforce_ssl': False,
             'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
             'custom_theme': False},
        )

@@ -91,7 +91,7 @@ class TestHorizonContexts(CharmTestCase):
            {'http_port': 70, 'https_port': 433,
             'enforce_ssl': True,
             'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
             'custom_theme': False},
        )

@@ -103,7 +103,7 @@ class TestHorizonContexts(CharmTestCase):
            {'http_port': 70, 'https_port': 433,
             'enforce_ssl': False,
             'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
             'custom_theme': False},
        )

@@ -116,7 +116,7 @@ class TestHorizonContexts(CharmTestCase):
            {'http_port': 70, 'https_port': 433,
             'enforce_ssl': True,
             'hsts_max_age_seconds': 15768000,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
             'custom_theme': False},
        )