form-action

The form-action directive restricts the URLs that can be used as the target of form submissions from a given context. This directive helps prevent Cross-Site Request Forgery (CSRF) attacks by limiting where forms can be submitted to.

Recommended Values

  • 'self' Allow form submissions to the same origin.

  • https://subdomain.domain.com/path Allow form submissions to a specific subdomain of a trusted domain.

Recommended form-action configuration

Content-Security-Policy: form-action 'self';

Tips & Tricks

  • If not specified, form submissions to any URL are allowed, which could potentially be exploited.

  • Always explicitly define form-action to prevent unauthorized form submissions.

  • Consider using 'self' as a baseline and add trusted domains as needed.

Possible Values

  • 'none': No form submissions allowed
  • 'self': Only allow form submissions to same origin
  • URLs: Specific domains (e.g., https://trusted-domain.com)
  • Schemes: Protocol schemes (e.g., https:)

Example Configurations

Basic policy with self

Restricts form submissions to same origin

Content-Security-Policy: form-action 'self';

Allowed

<form action="/submit" id="form1" method="post">
  <input type="text" name="fieldName" value="fieldValue">
  <input type="submit" id="submit" value="submit">
</form>

Blocked

<form action="https://malicious.website.com/submit">
  <input type="text" name="username" value="user123">
  <input type="password" name="password" value="secretpass">
  <input type="submit" value="login">
</form>

Additional Information

  • The form-action directive is crucial for preventing CSRF attacks
  • It works in conjunction with other security measures like CSRF tokens
  • Consider using this directive alongside frame-ancestors for complete clickjacking protection
  • The directive only controls where forms can be submitted, not the method (POST, GET, etc.)

Related Resources

External Articles

Related Documentation Sections