CSP: form-action

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of form submissions from a given context.

Warning: Whether form-action should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g. Firefox 57 doesn't block the redirects whereas Chrome 63 does).

CSP version 2
Directive type Navigation directive
default-src fallback No. Not setting this allows anything.

Syntax

http
Content-Security-Policy: form-action 'none';
Content-Security-Policy: form-action <source-expression-list>;

This directive may have one of the following values:

'none'

No form submissions may be made. The single quotes are mandatory.

<source-expression-list>

A space-separated list of source expression values. Form submissions may be made to URLs that match any of the given source expressions.

Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in CSP Source Values. However, only the following subset of those values apply to form-action:

  • <host-source>
  • <scheme-source>
  • the keyword value 'self'.

Examples

Meta tag configuration

html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />

Apache configuration

apacheconf
<IfModule mod_headers.c>
  Header set Content-Security-Policy "form-action 'none';"
</IfModule>

Nginx configuration

nginx
add_header Content-Security-Policy "form-action 'none';"

Violation case

Using a <form> element with an action set to inline JavaScript will result in a CSP violation.

html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />

<form action="javascript:alert('Foo')" id="form1" method="post">
  <input type="text" name="fieldName" value="fieldValue" />
  <input type="submit" id="submit" value="submit" />
</form>

<!--
// Error: Refused to send form data because it violates the following
// Content Security Policy directive: "form-action 'none'".
-->

Specifications

Specification
Content Security Policy Level 3
# directive-form-action

Browser compatibility

BCD tables only load in the browser

See also