From a32e013909c1871987ac1a9000ed73b8d1950073 Mon Sep 17 00:00:00 2001
From: barrucadu <mike@barrucadu.co.uk>
Date: Fri, 28 Sep 2018 22:17:19 +0000
Subject: [PATCH] Relax form-action content security policy

'self' only allows forms submitted to the same origin, which
breaks the "remote follow" form.  To allow remote following,
we want to allow forms to be submitted to any host.
---
 installation/pleroma.nginx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx
index 37871ea5b..f648336ca 100644
--- a/installation/pleroma.nginx
+++ b/installation/pleroma.nginx
@@ -77,7 +77,7 @@ server {
         add_header X-Content-Type-Options "nosniff" always;
         add_header Referrer-Policy "same-origin" always;
         add_header X-Download-Options "noopen" always;
-        add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always;
+        add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://example.tld; upgrade-insecure-requests;" always;
         
         # Uncomment this only after you get HTTPS working.
         # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;