From 8a64ae740b767661059c12992a5dcbe353dd9729 Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Fri, 15 Nov 2019 00:28:05 +0100
Subject: [PATCH] Fix allowed form-action in content security policy

The 'self' form action is needed for uploading CSV files, so that they
can be validated.

phpcs-errors:253 phpunit-status:successful
---
 .htaccess | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.htaccess b/.htaccess
index b1464e6..0e595c8 100644
--- a/.htaccess
+++ b/.htaccess
@@ -29,6 +29,6 @@ DirectoryIndex index.php
 AddDefaultCharset UTF-8
 
 # Set content and feature security headers
-Header set Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://*.jrenslin.de; img-src 'self' https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action https://nat.museum-digital.de;"
+Header set Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://*.jrenslin.de; img-src 'self' https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self';"
 Header set Feature-Policy "midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'self'; gyroscope 'self'; speaker *; payment 'none'; fullscreen 'self'; geolocation 'none';"