Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

recommend setting form-action to 'none', 'self' and specific domains for Content-Security-Policy #524

Closed
thestinger opened this issue Mar 23, 2021 · 3 comments · Fixed by #809
Assignees
Milestone

Comments

@thestinger
Copy link

This won't fall back to default-src since it was introduced in v2.

Eventually, when CSP v3 is stable, navigate-to will be similar, but navigate-to is a much broader feature that's harder to use. Sites generally have very few origins where they need to submit forms, but probably do have a lot of external links, etc. they don't want to allow list.

@thestinger thestinger changed the title recommend setting form-action for Content-Security-Policy recommend setting form-action to 'none', 'self' and specific domains for Content-Security-Policy Mar 23, 2021
@baknu baknu added this to the v1.5 milestone May 4, 2021
@baknu
Copy link
Contributor

baknu commented May 4, 2021

See also #325 (comment)

@baknu baknu modified the milestones: v1.5, v1.6 Nov 12, 2021
@mxsasha mxsasha self-assigned this Oct 20, 2022
@mxsasha
Copy link
Collaborator

mxsasha commented Nov 17, 2022

@baknu when we say "recommend" here - is that a failure if not set? The CSP test currently does not have different levels, it fails or it succeeds - though no scoring impact currently.

@baknu
Copy link
Contributor

baknu commented Dec 8, 2022

when we say "recommend" here - is that a failure if not set? The CSP test currently does not have different levels, it fails or it succeeds - though no scoring impact currently.

Yep, the requirement level of the CSP subtest is currently "RECOMMENDED". This is shown at the end of the test explanation. For some background of the different requirement levels see: https://en.internet.nl/faqs/report/

So, a domain without form-action set should fail the CSP subtest and this will result in "Warning: fail on RECOMMENDED subtest ⇒ no score impact".

Note that we might upgrade the requirement level of the CSP subtest later to "REQUIRED", although we do not have any plans for that yet.

Btw we should also add form-action to the CSP header of Internet.nl itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants