diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index 459d5e996c..c4c5146e25 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -152,7 +152,11 @@ class SecurityMiddleware:
             'frame-src': '{static} https://js.stripe.com',
             'style-src': "{static}",
             'img-src': "{static} data: https://*.stripe.com",
-            'form-action': "{dynamic}",
+            # form-action is not only used to match on form actions, but also on URLs
+            # form-ations redirect to. In the context of e.g. payment providers or
+            # single-sign-on this can be nearly anything so we cannot really restrict
+            # this. However, we'll restrict it to HTTPS.
+            'form-action': "{dynamic} https:",
         }
         if 'Content-Security-Policy' in resp:
             h.update(self._parse_csp(resp['Content-Security-Policy']))