From fed1cc4bc79481cc59d8f2efc0be635567461676 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Thu, 5 Mar 2026 23:05:52 +0000
Subject: [PATCH] Skip CSP on OIDC routes to fix logout form submission

The oidc-provider generates form actions with http:// URLs that
conflict with the CSP form-action directive. OIDC routes serve
self-contained HTML outside Nuxt, so CSP is not needed there.
---
 server/middleware/02.security-headers.js | 29 ++++++++++++++----------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
index f29ce86..71cc91d 100644
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@@ -1,4 +1,6 @@
 export default defineEventHandler((event) => {
+  const path = getRequestURL(event).pathname
+
   const headers = {
     'X-Content-Type-Options': 'nosniff',
     'X-Frame-Options': 'DENY',
@@ -10,18 +12,21 @@ export default defineEventHandler((event) => {
   if (process.env.NODE_ENV === 'production') {
     headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
 
-    // CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
-    headers['Content-Security-Policy'] = [
-      "default-src 'self'",
-      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
-      "font-src 'self'",
-      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
-      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
-      "base-uri 'self'",
-      "form-action 'self'",
-    ].join('; ')
+    // Skip CSP for OIDC routes — they serve self-contained HTML
+    // rendered by oidc-provider with its own form actions
+    if (!path.startsWith('/oidc/')) {
+      headers['Content-Security-Policy'] = [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
+        "font-src 'self'",
+        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
+        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+        "base-uri 'self'",
+        "form-action 'self'",
+      ].join('; ')
+    }
   }
 
   for (const [key, value] of Object.entries(headers)) {