From a536bc4c976c378f021471bc937927cfb1b93e56 Mon Sep 17 00:00:00 2001
From: lafleur <lafleur@boum.org>
Date: Sun, 10 Aug 2025 00:02:44 +0200
Subject: [PATCH] web::login: add form-data CSP rules for localhost

---
 src/web/oidc/response.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/web/oidc/response.rs b/src/web/oidc/response.rs
index aafaa788..9d6eac1b 100644
--- a/src/web/oidc/response.rs
+++ b/src/web/oidc/response.rs
@@ -24,10 +24,12 @@ pub struct OidcResponse {
 
 impl IntoResponse for OidcResponse {
 	fn into_response(self) -> Response<Body> {
-		let content_csp = match self.nonce {
-			| Some(nonce) => &format!("default-src 'nonce-{nonce}'; form-action 'self';"),
-			| None => "default-src 'none'; form-action 'self';",
+		let csp_src = match self.nonce {
+			| Some(nonce) => &format!("default-src 'nonce-{nonce}';"),
+			| None => "default-src 'none';",
 		};
+		let csp_form_action = "form-action 'self' http://localhost http://127.0.0.1 http://[::1];";
+		let content_csp = format!("{csp_src} {csp_form_action}");
 		let content_type = match self.body {
 			| Some(OAuthRequestBody::Json(_)) => "application/json",
 			| _ => "text/html",