Set the form-action
directive in the report-only CSP
#15554
+1
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces the
form-action
directive to the report-only Content Security Policy (CSP) header. The goal is to test and evaluate its compatibility before eventually applying it to the enforced CSP header. Theform-action
directive restricts where forms on the site can send their data upon submission, adding an additional layer of security to prevent potential vulnerabilities.Why
form-action
is Important for SecurityThe
form-action
directive is a key security measure designed to mitigate attacks that exploit form submissions, such as:By specifying trusted domains or paths for form submissions,
form-action
ensures that forms behave only as intended and cannot be abused for unauthorized data capture.Next Steps
form-action
.References
MDN Documentation on
form-action
I used an AI to write some of this code.
Issue / Bugzilla link
#15553 (from #11943)
Testing
form-action
directive in the report-only CSP header locally.DEBUG=False
- CSP headers aren't added while in DEBUG modeCSP_RO_REPORT_URI=/csp-violation
- the report-only header will only be added if this is set.