CSP: form-action and redirects

[ptoomey3]

I just wanted to open an issue to get your thoughts on form-action with respect to redirects. We have been working on deploying form-action and have run into a few scenarios that all boil down to:

• Perform some action by doing a POST to self
• Based on request params/backend state, redirect the user to another site

One big use case of this is OAuth, where we have users submit a form to authorize access to their account. After the POST we redirect the user back to the OAuth application to complete the OAuth dance.

However, for these kinds of scenarios to work with form-action we would either have to:

• Determine where we plan to redirect the user for each OAuth authorization so that we can add an appropriate value for form-action.
• Use something like meta refresh to redirect the user after authorizing (since this doesn't count as a form submit)

I can see why one might want to limit method preserving redirection with a 307, but I couldn't think of much risk with allowing 302 style redirects. I guess there is some value in avoiding the redirection, though it feels somewhat orthogonal to the immediate risk associated with accidentally submitting form contents to an untrusted site. Anyway, I was just curious what your thoughts were on the topic.

/cc @mastahyeti @gregose @oreoshake

[mikewest]

Hrm. I think it would be inconsistent with the rest of CSP to differentiate between types of redirection, but you're right to suggest that the risk of a 302 vs 307 is substantially lower for the specific case that form-action is meant to deal with. Certainly something worth talking about for CSP3.

Setting label and milestone appropriately.

[mikewest]

This issue was moved to w3c/webappsec-csp#8