recommend setting form-action to 'none', 'self' and specific domains for Content-Security-Policy

[thestinger]

This won't fall back to default-src since it was introduced in v2.

Eventually, when CSP v3 is stable, navigate-to will be similar, but navigate-to is a much broader feature that's harder to use. Sites generally have very few origins where they need to submit forms, but probably do have a lot of external links, etc. they don't want to allow list.

[baknu]

See also #325 (comment)

[mxsasha]

@baknu when we say "recommend" here - is that a failure if not set? The CSP test currently does not have different levels, it fails or it succeeds - though no scoring impact currently.

[baknu]

when we say "recommend" here - is that a failure if not set? The CSP test currently does not have different levels, it fails or it succeeds - though no scoring impact currently.

Yep, the requirement level of the CSP subtest is currently "RECOMMENDED". This is shown at the end of the test explanation. For some background of the different requirement levels see: https://en.internet.nl/faqs/report/

So, a domain without form-action set should fail the CSP subtest and this will result in "Warning: fail on RECOMMENDED subtest ⇒ no score impact".

Note that we might upgrade the requirement level of the CSP subtest later to "REQUIRED", although we do not have any plans for that yet.

Btw we should also add form-action to the CSP header of Internet.nl itself.