CSP: form-action
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
The HTTP Content-Security-Policy
(CSP) form-action
directive restricts the URLs which can be used as the target of form submissions from a given context.
Warning: Whether form-action
should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g. Firefox 57 doesn't block the redirects whereas Chrome 63 does).
CSP version | 2 |
---|---|
Directive type | Navigation directive |
default-src fallback |
No. Not setting this allows anything. |
Syntax
Content-Security-Policy: form-action 'none';
Content-Security-Policy: form-action <source-expression-list>;
This directive may have one of the following values:
'none'
-
No form submissions may be made. The single quotes are mandatory.
<source-expression-list>
-
A space-separated list of source expression values. Form submissions may be made to URLs that match any of the given source expressions.
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in CSP Source Values. However, only the following subset of those values apply to
form-action
:<host-source>
<scheme-source>
- the keyword value
'self'
.
Examples
Meta tag configuration
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />
Apache configuration
<IfModule mod_headers.c>
Header set Content-Security-Policy "form-action 'none';"
</IfModule>
Nginx configuration
add_header Content-Security-Policy "form-action 'none';"
Violation case
Using a <form>
element with an action set to inline JavaScript will result in a CSP violation.
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />
<form action="javascript:alert('Foo')" id="form1" method="post">
<input type="text" name="fieldName" value="fieldValue" />
<input type="submit" id="submit" value="submit" />
</form>
<!--
// Error: Refused to send form data because it violates the following
// Content Security Policy directive: "form-action 'none'".
-->
Specifications
Specification |
---|
Content Security Policy Level 3 # directive-form-action |
Browser compatibility
BCD tables only load in the browser