Fixed: IndieAuth login broken for third-party apps

After adding security headers (Content-Security-Policy) to harden the site, logging in with IndiePass and other IndieAuth clients silently failed — tapping “authorize” did nothing.

The culprit was form-action ‘self’ in the CSP, which blocked Browsers from following the consent form’s redirect to the client’s callback URL (e.g., indiepass.app/android-callback).

Changed to form-action ‘self’ https: to allow IndieAuth redirects to any HTTPS callback. Affects all third-party IndieAuth clients (Micropub editors, Microsub readers, etc.), not just IndiePass.