From 6edb7f737b3a09116beee4107facc2d03979af0a Mon Sep 17 00:00:00 2001
From: Steve Breker <sbreker@artefactual.com>
Date: Mon, 13 Jan 2025 16:59:13 -0800
Subject: [PATCH] Update default CSP directive

Add form-action directive to default CSP header. Limit form target to
'self'.
---
 config/app.yml       | 1 +
 docker/bootstrap.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/app.yml b/config/app.yml
index e970e2f616..cdc65e8731 100644
--- a/config/app.yml
+++ b/config/app.yml
@@ -70,6 +70,7 @@ all:
       directives: >
         default-src 'self'; 
         font-src 'self' https://fonts.gstatic.com; 
+        form-action 'self'; 
         img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com  *.googleusercontent.com data: https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; 
         script-src 'self' https://*.googletagmanager.com 'nonce' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:; 
         style-src 'self' 'nonce' https://fonts.googleapis.com; 
diff --git a/docker/bootstrap.php b/docker/bootstrap.php
index 8116f774cb..cb88ecc22f 100644
--- a/docker/bootstrap.php
+++ b/docker/bootstrap.php
@@ -106,7 +106,7 @@ function get_host_and_port($value, $default_port)
   htmlpurifier_enabled: false
   csp:
     response_header: Content-Security-Policy-Report-Only
-    directives: "default-src 'self'; font-src 'self'; img-src 'self' https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; script-src 'self' https://*.googletagmanager.com 'nonce'; style-src 'self' 'nonce'; worker-src 'self' blob:; connect-src https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com; frame-ancestors 'self';"
+    directives: "default-src 'self'; font-src 'self'; form-action 'self'; img-src 'self' https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; script-src 'self' https://*.googletagmanager.com 'nonce'; style-src 'self' 'nonce'; worker-src 'self' blob:; connect-src https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com; frame-ancestors 'self';"
 EOT;
 
     file_put_contents(_ATOM_DIR.'/apps/qubit/config/app.yml', $app_yml);