From 8f192a40ed461f87b09e9748cedafb3dfbd5179d Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Tue, 11 Jun 2024 09:58:18 -1000
Subject: [PATCH] fix: :lock: Allow all origins in form-action CSP

---
 nuxt.config.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nuxt.config.ts b/nuxt.config.ts
index 6fc7585..d9ab0cd 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -36,8 +36,9 @@ export default defineNuxtConfig({
             contentSecurityPolicy: {
                 "img-src": ["'self'", "data:", "https:", "blob:"],
                 "script-src": ["'nonce-{{nonce}}'", "'strict-dynamic'"],
-                // Add https because of some browsers blocking form-action to 'self' if the page is from a redirect
-                "form-action": ["'self'", "https:", "tuba:"],
+                // Allow all origins for form-action, so that clients registering custom
+                // protocol handlers will work (native clients for example)
+                "form-action": ["*"],
                 "media-src": ["'self'", "https:", "blob:"],
             },
             crossOriginResourcePolicy: "cross-origin",