From 489e8c5a400e4a420a644ba448c5e1f4f7f97599 Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Mon, 19 Jun 2023 15:17:43 +0800
Subject: [PATCH 1/2] allow redirect to pocket auth page

---
 packages/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index da6ad160d..35c6af042 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -4,7 +4,7 @@ const ContentSecurityPolicy = `
   block-all-mixed-content;
   connect-src 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app storage.googleapis.com api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
   font-src 'self' data: cdn.jsdelivr.net;
-  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL};
+  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} https://getpocket.com;
   frame-ancestors 'none';
   frame-src self accounts.google.com platform.twitter.com www.youtube.com www.youtube-nocookie.com;
   manifest-src 'self';

From a0a5c4d57f878c4ccaaa6136eb2ae0ad98498d5c Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Mon, 19 Jun 2023 15:20:41 +0800
Subject: [PATCH 2/2] only allow redirect to auth page

---
 packages/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index 35c6af042..cdf0e7c66 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -4,7 +4,7 @@ const ContentSecurityPolicy = `
   block-all-mixed-content;
   connect-src 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app storage.googleapis.com api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
   font-src 'self' data: cdn.jsdelivr.net;
-  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} https://getpocket.com;
+  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} https://getpocket.com/auth/authorize;
   frame-ancestors 'none';
   frame-src self accounts.google.com platform.twitter.com www.youtube.com www.youtube-nocookie.com;
   manifest-src 'self';