From e92090074190dca96cfb0f4835e6618ea995f450 Mon Sep 17 00:00:00 2001
From: Rob Hudson <robhudson@mozilla.com>
Date: Tue, 17 Dec 2024 08:35:53 -0800
Subject: [PATCH] Set the `form-action` direction in the report-only CSP

---
 bedrock/settings/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index 1616e66d916..adf53ea0fce 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -129,6 +129,7 @@
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["upgrade-insecure-requests"] = True
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["base-uri"] = [csp.constants.NONE]
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["form-action"] = [csp.constants.SELF, f"{BASKET_URL}/news/", FXA_ENDPOINT]
 
 
 # `CSP_PATH_OVERRIDES` and `CSP_PATH_OVERRIDES_REPORT_ONLY` are mainly for overriding CSP settings