From bd8a62cde553a639868cacdba9cd62afa180aa4b Mon Sep 17 00:00:00 2001
From: Jorge Merlino <jorge.merlino@canonical.com>
Date: Mon, 12 Jan 2026 19:02:26 -0300
Subject: [PATCH] Remove form-action 'self' from CSP default configuration

This setting breaks Single Sign On as it prevents the forms to submit to
an external site, which is exactly what the login form does when SSO is
enabled.

Closes-Bug: #2138262
Change-Id: Ia0e9df362b1ccc4c797a6cfe0f6d10a660f7c924
Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
(cherry picked from commit 40a8e74626d2cb551f424b8d16085bf71616046a)
---
 config.yaml                         | 2 +-
 unit_tests/test_horizon_contexts.py | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config.yaml b/config.yaml
index e665bd6c..170351f2 100644
--- a/config.yaml
+++ b/config.yaml
@@ -315,7 +315,7 @@ options:
       enforce-ssl option must be true.
   csp-options:
     type: string
-    default: "frame-ancestors 'self'; form-action 'self';"
+    default: "frame-ancestors 'self';"
     description: |
       Options for the CSP (Content Security Policy) header. This header allows to
       control which resources the user agent is allowed to load. For more details
diff --git a/unit_tests/test_horizon_contexts.py b/unit_tests/test_horizon_contexts.py
index 5f549d03..eae4fd9f 100644
--- a/unit_tests/test_horizon_contexts.py
+++ b/unit_tests/test_horizon_contexts.py
@@ -79,7 +79,7 @@ class TestHorizonContexts(CharmTestCase):
             {'http_port': 70, 'https_port': 433,
              'enforce_ssl': False,
              'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
              'custom_theme': False},
         )
 
@@ -91,7 +91,7 @@ class TestHorizonContexts(CharmTestCase):
             {'http_port': 70, 'https_port': 433,
              'enforce_ssl': True,
              'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
              'custom_theme': False},
         )
 
@@ -103,7 +103,7 @@ class TestHorizonContexts(CharmTestCase):
             {'http_port': 70, 'https_port': 433,
              'enforce_ssl': False,
              'hsts_max_age_seconds': 0,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
              'custom_theme': False},
         )
 
@@ -116,7 +116,7 @@ class TestHorizonContexts(CharmTestCase):
             {'http_port': 70, 'https_port': 433,
              'enforce_ssl': True,
              'hsts_max_age_seconds': 15768000,
-             'csp_options': "frame-ancestors 'self'; form-action 'self';",
+             'csp_options': "frame-ancestors 'self';",
              'custom_theme': False},
         )