拒绝向'domain'发送表单数据，因为它违反了以下内容安全策略指令

这是我最近一直无法解决的问题。一年前，同样的解决方案运行良好，我无法纠正，因为该解决方案有许多组件/块。不确定问题在哪里。基本上浏览器正在产生以下错误

Refused to send form data to 'https://login.XXXX.com.au/' 
because it violates the following Content Security Policy directive: 
https://cloud.XXXX.com.au/login/flow/grant?stateToken=XXX&clientIdentifier=XXX&oauthState=XXX
"form-action 'self' https://app.XXXX.com.au/".

我有一个由nextcloud、代金券和一些受保护的网络应用程序组成的docker系统。尝试授予浏览器(用户(访问权限以访问受保护的应用程序时遇到此问题。

1-访问受保护的应用程序(App.xxxx.com.au(

2-反向代理计算出未授权并通过下一轮(OAuth2.0提供商(转发到登录(凭证(

3-Nextcloud提示登录，然后登录Grant。但它挂在那里，一直在旋转。。。这时我注意到错误

这个网站看起来有点像这样：在此处输入图像描述

因此，SSO/AOuth2.0和nextcloud作为OAuth2.0身份验证服务器是有凭证的。就像我说的，整个系统运行良好，直到最近才开始遇到这个问题。

• app.XXX：受保护的应用程序
• loginXXX：凭证
• cloud.XX:Nextcloud

所有都是同一域的子域。

我将发布不同服务器的nginx配置，但我希望有人能通过识别有问题的块来帮助我。

通过Chrome捕获的网络错误：

Request URL: https://cloud.XXXX.com.au/login/flow
Request Method: POST
Status Code: 403 
Remote Address: xxx.xxx.xxx.xxx:443
Referrer Policy: no-referrer
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TTFXU2lkVDNzWXBLeHFiYVVMU2FpaTJ1Ni9Qc3FBd3FmYnZiVWR2Qis4WT06VVMvUnk1V2gyZjBybGNtQUt2SDV4a2VlMjZmZTNWUmhNKzJMQXFtZ29aVT0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'
content-type: text/html; charset=UTF-8
date: Sat, 08 May 2021 05:10:28 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
pragma: no-cache
referrer-policy: no-referrer
server: nginx/1.18.0
vary: Accept-Encoding
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-robots-tag: none
x-xss-protection: 1; mode=block
:authority: cloud.XXXX.com.au
:method: POST
:path: /login/flow
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ar;q=0.8
cache-control: max-age=0
content-length: 314
content-type: application/x-www-form-urlencoded
cookie: oc_sessionPassphrase=7nyA960K5Qi05UrXfJYbR7PqDN3geuod0t4iU9PexX7zoTUC%2FWBUriUSzNvSc4nRF%2FIioMauYPhKcbWKe0lVoszQOu40E6T0gScCAewwjpKfY27VGNgPe%2Bw1Pi%2B1Ywb; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyemq0ytbyv=2f27c5dc0a0aa041c31a626f7cd7966; ocpbh7t5ok9f=862ea031f3cad982ab176d58339f31e; ocmgpyyzx1bo=53201edd9ea33fcacc23103beb239f1; oc9u3zbg71na=4d6196dec8d018ce3cd340c42690003d; occ1jd68d7w4=6148c32daf9a66436e04fd85f1c13db0; ocjskrd6qpes=b846ae4a2342369a3b70edb4732e4810; ocjex7dsuhmn=f91560cac805f8151e86dd6b0112038; ocxuav81gicz=1974b7d3c5e13b21b995548dfecedf4; oc3vwbfqyogc=5277ea00dc070baa4de1dc24f17777d6; nc_username=yahya; ocvazuerhy2n=7544fb3699510e35b6506c9297a9194b; ocwhuhvrqpl4=5c1325ee29c8f9cc0777b76d5474f4a8; oc0n8vxf7sof=9a7670a3dad92972fa206690fb70930c; ocrps8rnsaow=8029688e78239ded5d87aba21228e1ed; nc_token=oSp85oZHHbLBlnYVDwJ4J%2F66RaZVF%2BN; nc_session_id=8029688e78239ded5d87aa21228e1ed
origin: null
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
clientIdentifier: So5JaKdYR8C4XclAfV4S2sMCefxDMhILnRHHAIeS4OxYZ43i6V4JMn2yG98CbhMB
requesttoken: BvHgl+jWzcGh5aGfUVE7KzkY9Ao+UccTGJujeZPOhCk=:ZIuj1amApbbAts7FKxRYZ1MoxF4MJJ9YVs3zKuGv3no=
stateToken: z8c9imJFbiQ13LjKtfKtF24dmor43bY247lMymgKGNHnVxFH9maEpfujINLvC8yK
oauthState: rk8bHsF7VaQeYG8n143RWt4oXXFG7BF2