2022-12-15 UTC
# M0x3b0b[m] Hmm. Okay, apparently it's specifically that current Chrome-based browsers apply the form-action CSP to redirects. That seems to mean if I want to use IndieAuth I need to either avoid Chrome-based browsers, allow form actions for basically anywhere, or maintain a specific list of targets (and leak the list in my headers). I guess I could be misunderstanding what I'm seeing.