-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recommend setting form-action to 'none', 'self' and specific domains for Content-Security-Policy #524
Comments
See also #325 (comment) |
@baknu when we say "recommend" here - is that a failure if not set? The CSP test currently does not have different levels, it fails or it succeeds - though no scoring impact currently. |
Yep, the requirement level of the CSP subtest is currently "RECOMMENDED". This is shown at the end of the test explanation. For some background of the different requirement levels see: https://en.internet.nl/faqs/report/ So, a domain without Note that we might upgrade the requirement level of the CSP subtest later to "REQUIRED", although we do not have any plans for that yet. Btw we should also add |
This won't fall back to
default-src
since it was introduced in v2.Eventually, when CSP v3 is stable,
navigate-to
will be similar, butnavigate-to
is a much broader feature that's harder to use. Sites generally have very few origins where they need to submit forms, but probably do have a lot of external links, etc. they don't want to allow list.The text was updated successfully, but these errors were encountered: