[#4205] Allow any https: scheme for CSP form-action directive

Backport-of: #4223

src/openforms/conf/base.py

@@ -1022,13 +1022,17 @@
     "'self'",
 ] + config("CSP_EXTRA_DEFAULT_SRC", default=[], split=True)
 
-# CORS_ALLOWED_ORIGINS is included because we (likely) need to redirect back to those
-# third party domains that are embedding the SDK after login. Chrome in particular
-# validates the entire redirect chain, see: https://stackoverflow.com/a/69439102
+# Allow any 'https:' host, as we don't know in advance which target is used by eHerkenning.
+# Behavior is also different between browsers regarding redirects, see:
+# https://stackoverflow.com/a/69439102 / https://github.com/w3c/webappsec-csp/issues/8
 CSP_FORM_ACTION = (
-    ["'self'"]
+    config(
+        "CSP_FORM_ACTION",
+        default=["\"'self'\"", "https:"]
+        + config("CSP_EXTRA_FORM_ACTION", default=[], split=True),
+        split=True,
+    )
     + CORS_ALLOWED_ORIGINS
-    + config("CSP_EXTRA_FORM_ACTION", default=[], split=True)
 )
 
 # * service.pdok.nl serves the tiles for the Leaflet maps (PNGs) and must be whitelisted
@@ -1060,7 +1064,6 @@
 CSP_FRAME_ANCESTORS = ["'none'"]  # equivalent to X-Frame-Options: deny
 CSP_FRAME_SRC = ["'self'"]
 # CSP_NAVIGATE_TO = ["'self'"]  # this will break all outgoing links etc  # too much & tricky, see note on MDN
-# CSP_FORM_ACTION = ["'self'"]  # forms, possibly problematic with payments
 # CSP_SANDBOX # too much
 
 CSP_UPGRADE_INSECURE_REQUESTS = False  # TODO enable on production?

src/openforms/config/tests/test_admin.py

@@ -1,38 +1,13 @@
-from django.contrib.admin.sites import AdminSite
-from django.test import TestCase
 from django.urls import reverse
 
 from django_webtest import WebTest
 from maykin_2fa.test import disable_admin_mfa
 
 from openforms.accounts.tests.factories import SuperUserFactory
-from openforms.config.models import CSPSetting
-from openforms.payments.contrib.ogone.tests.factories import OgoneMerchantFactory
 
-from ..admin import CSPSettingAdmin
 from .factories import RichTextColorFactory
 
 
-class TestCSPAdmin(TestCase):
-    def test_content_type_link(self):
-        OgoneMerchantFactory()
-
-        csp = CSPSetting.objects.get()
-
-        admin_site = AdminSite()
-        admin = CSPSettingAdmin(CSPSetting, admin_site)
-
-        expected_url = reverse(
-            "admin:payments_ogone_ogonemerchant_change",
-            kwargs={"object_id": str(csp.object_id)},
-        )
-        expected_link = f'<a href="{expected_url}">{str(csp.content_object)}</a>'
-
-        link = admin.content_type_link(csp)
-
-        self.assertEqual(link, expected_link)
-
-
 @disable_admin_mfa()
 class ColorAdminTests(WebTest):
     def test_color_changelist(self):

src/openforms/contrib/digid_eherkenning/apps.py

@@ -6,7 +6,3 @@ class DigidEherkenningApp(AppConfig):
     name = "openforms.contrib.digid_eherkenning"
     label = "contrib_digid_eherkenning"
     verbose_name = _("DigiD/Eherkenning utilities")
-
-    def ready(self):
-        # register the signals
-        from .signals import trigger_csp_update  # noqa