From 59c814534c91e9777c6c21b16beabc20e9ddd60f Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Tue, 14 Apr 2026 07:54:51 +0000
Subject: [PATCH] oidc/callback: tighten Content-Security-Policy

Adds the following directives:

* `form-action`
* `frame-ancestors`

Ref:

* https://github.com/getodk/central/issues/1533
* https://github.com/getodk/central/pull/1742/
---
 lib/resources/oidc.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/resources/oidc.js b/lib/resources/oidc.js
index 6556ea2ef..f675981ca 100644
--- a/lib/resources/oidc.js
+++ b/lib/resources/oidc.js
@@ -175,7 +175,7 @@ module.exports = (service, __, anonymousEndpoint) => {
       // return redirect(303, nextPath);
       // Instead, we need to render a page and then "browse" from that page to the normal frontend:
 
-      res.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; style-src-elem 'sha256-${styleHash}'; report-uri /csp-report`);
+      res.set('Content-Security-Policy', `default-src 'none';  form-action 'none'; frame-ancestors 'none'; img-src 'self'; style-src-elem 'sha256-${styleHash}'; report-uri /csp-report`);
       return render(loaderTemplate, { nextPath });
     } catch (err) {
       if (redirect.isRedirect(err)) {