Allow OIDC logout form submission in CSP form-action directive

The oidc-provider library renders logout forms with absolute URLs, which gets blocked by the strict form-action 'self' CSP directive.
2026-03-05 22:33:11 +00:00 · 2026-03-05 22:33:11 +00:00 · 17d29647b4
commit 17d29647b4
parent c3c8b6bcd4
1 changed files with 1 additions and 1 deletions
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
      "base-uri 'self'",
-      "form-action 'self'",
+      "form-action 'self' https://ghostguild.org",
    ].join('; ')
  }