form-action
Theform-action
directive restricts the URLs that can be used as the target of form submissions from a given context. This directive helps prevent Cross-Site Request Forgery (CSRF) attacks by limiting where forms can be submitted to.
Recommended Values
'self' Allow form submissions to the same origin.
https://subdomain.domain.com/path Allow form submissions to a specific subdomain of a trusted domain.
Recommended form-action configuration
Content-Security-Policy: form-action 'self';
Tips & Tricks
If not specified, form submissions to any URL are allowed, which could potentially be exploited.
Always explicitly define form-action to prevent unauthorized form submissions.
Consider using 'self' as a baseline and add trusted domains as needed.
Possible Values
'none'
: No form submissions allowed'self'
: Only allow form submissions to same origin- URLs: Specific domains (e.g.,
https://trusted-domain.com
) - Schemes: Protocol schemes (e.g.,
https:
)
Example Configurations
Basic policy with self
Restricts form submissions to same origin
Content-Security-Policy: form-action 'self';
Allowed
<form action="/submit" id="form1" method="post">
<input type="text" name="fieldName" value="fieldValue">
<input type="submit" id="submit" value="submit">
</form>
Blocked
<form action="https://malicious.website.com/submit">
<input type="text" name="username" value="user123">
<input type="password" name="password" value="secretpass">
<input type="submit" value="login">
</form>
Additional Information
- The
form-action
directive is crucial for preventing CSRF attacks - It works in conjunction with other security measures like CSRF tokens
- Consider using this directive alongside frame-ancestors for complete clickjacking protection
- The directive only controls where forms can be submitted, not the method (POST, GET, etc.)
Related Resources
External Articles
- MDN Web Docs: form-action
- OWASP: Content Security Policy Cheat Sheet
- Google Web Fundamentals: Content Security Policy