jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Skip CSP on OIDC routes to fix logout form submission

Browse source 
The oidc-provider generates form actions with http:// URLs that
conflict with the CSP form-action directive. OIDC routes serve
self-contained HTML outside Nuxt, so CSP is not needed there.
This commit is contained in:
Jennie Robinson Faber 2026-03-05 23:05:52 +00:00
parent ba92075366
commit fed1cc4bc7
1 changed files with 17 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

29
server/middleware/02.security-headers.js
View file

@ -1,4 +1,6 @@
export default defineEventHandler((event) => {
const path = getRequestURL(event).pathname
const headers = {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
@ -10,18 +12,21 @@ export default defineEventHandler((event) => {
if (process.env.NODE_ENV === 'production') {
headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
// CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
headers['Content-Security-Policy'] = [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
"font-src 'self'",
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
"base-uri 'self'",
"form-action 'self'",
].join('; ')
// Skip CSP for OIDC routes — they serve self-contained HTML
// rendered by oidc-provider with its own form actions
if (!path.startsWith('/oidc/')) {
headers['Content-Security-Policy'] = [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
"font-src 'self'",
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
"base-uri 'self'",
"form-action 'self'",
].join('; ')
}
}
for (const [key, value] of Object.entries(headers)) {