form-action

Recommended Values

• 'self' Allow form submissions to the same origin.

• https://subdomain.domain.com/path Allow form submissions to a specific subdomain of a trusted domain.

• Explore detailed value definitions

Content-Security-Policy: form-action 'self';

Tips & Tricks

• If not specified, form submissions to any URL are allowed, which could potentially be exploited.

• Always explicitly define form-action to prevent unauthorized form submissions.

• Consider using 'self' as a baseline and add trusted domains as needed.

Possible Values

• 'none': No form submissions allowed
• 'self': Only allow form submissions to same origin
• URLs: Specific domains (e.g., https://trusted-domain.com)
• Schemes: Protocol schemes (e.g., https:)

Example Configurations

Basic policy with self

Content-Security-Policy: form-action 'self';

Allowed

<form action="/submit" id="form1" method="post">
  <input type="text" name="fieldName" value="fieldValue">
  <input type="submit" id="submit" value="submit">
</form>

Blocked

<form action="https://malicious.website.com/submit">
  <input type="text" name="username" value="user123">
  <input type="password" name="password" value="secretpass">
  <input type="submit" value="login">
</form>

Additional Information

• The form-action directive is crucial for preventing CSRF attacks
• It works in conjunction with other security measures like CSRF tokens
• Consider using this directive alongside frame-ancestors for complete clickjacking protection
• The directive only controls where forms can be submitted, not the method (POST, GET, etc.)

Related Resources

External Articles

• MDN Web Docs: form-action
• OWASP: Content Security Policy Cheat Sheet
• Google Web Fundamentals: Content Security Policy

Related Documentation Sections

• default-src Directive
• frame-ancestors Directive
• CSP Best Practices
• Understanding CSRF Protection