Comment 1 for bug 608920

Thanks for the report!

The view is overloaded, so a decorator won't work. We'll have to set the property on the response directly. server.py:508, where we set content-type for openid post responses, looks like the right place.

Because the view is overloaded, we'll need to add some additional automated tests to make sure we don't lose CSRF protection on the other aspects.