From 20b458f35d3a6276c5ef5a7dd4873cf71ee2e84a Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sun, 27 Jan 2019 17:15:40 +0100
Subject: [PATCH] Ignore form action when doing oAuth2.

---
 app/Http/Middleware/SecureHeaders.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 1e8a30fe37..90df83e700 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -54,12 +54,15 @@ class SecureHeaders
             sprintf("script-src 'self' 'unsafe-eval' 'unsafe-inline' %s", $google),
             "style-src 'self' 'unsafe-inline'",
             "base-uri 'self'",
-            "form-action 'self'",
             "font-src 'self'",
             "connect-src 'self'",
             "img-src 'self' data: https://api.tiles.mapbox.com",
             "manifest-src 'self'",
         ];
+        $route = $request->route()->uri;
+        if($route !== 'oauth/authorize') {
+            $csp[] = "form-action 'self'";
+        }
 
         $featurePolicies = [
             "geolocation 'none'",