[openstreetmap/openstreetmap-website] OAuth2 form-action CSP error (Issue #3424)

[Robbendebiene]

### URL

https://master.apis.dev.openstreetmap.org/oauth2/authorize

### How to reproduce the issue?

When using OAuth2 on iOS we are getting the following error during the authorization:

`Refused to load our.scheme:/oauth2?code=X&state=Y because it does not appear in the form-action directive of the Content Security Policy.`

Afterwards we are still able to get and successfully authorize the user since the actual code is sent as a query parameter and not as form-data. However this error completely breaks the authentication flow because it will be treated as a failure and the Safari WebView won't be closed.

>From what I was able to find this seems like a common problem due to browsers handling things differently:
- https://github.com/w3c/webappsec-csp/issues/8
- https://github.com/openstreetmap/openstreetmap-website/issues/1909
- https://github.com/openstreetmap/openstreetmap-website/issues/3131
- https://github.com/nextcloud/server/pull/17411

I suspect the following line of code: https://github.com/openstreetmap/openstreetmap-website/blob/master/app/controllers/oauth2_authorizations_controller.rb#L10


Notes:
- We are using [AppAuth](https://appauth.io/) under the hood.
- Interestingly the authentication process on Android doesn't break, though I would assume it throws the same error.

### Screenshot(s) or anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3424
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/3424 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220117/9d39e268/attachment.htm>