157355 2016-05-04 13:40:35 -0700 Content Security Policy form-action directive is ignored 2016-11-17 11:50:52 -0800 1 1 1 Unclassified WebKit WebCore Misc. Safari 9 Unspecified Unspecified RESOLVED DUPLICATE 154520 InRadar P2 Normal --- 1 webkit.bugzilla webkit-unassigned bfulgham dbates webkit-bug-importer oldest_to_newest 1190203 0 278123 webkit.bugzilla 2016-05-04 13:40:35 -0700 Created attachment 278123 form-action blocked test file Steps to reproduce: Create a test page with a form which submits data somewhere. Add to a page <meta http-equiv="Content-Security-Policy" content="form-action 'none'"> into <head>. Load page and submit the form. Form action should be blocked, but it is not. Alternatively use attached test file. Load attached "form-action-src-blocked.html" in a browser and click "Submit" button. You can also reproduce the issue if Content Security Policy delivered via content-security-policy http header. (You need to remove "<meta http-equiv="Content-Security-Policy" content="form-action 'none'"> from attached file, and adjust your http server settings to add "Content-Security-Policy: form-action 'none'" header to response) Actual results: Form successfully submitted Expected results: Form submit should be blocked. (Open the same file in Chrome) 1210515 1 webkit-bug-importer 2016-07-13 10:27:44 -0700 <rdar://problem/27326202> 1252380 2 dbates 2016-11-17 11:48:58 -0800 *** This bug has been marked as a duplicate of bug 154520 *** 1252382 3 dbates 2016-11-17 11:50:52 -0800 The directive form-action was enabled by default in Safari 10. That is, Safari 9 did not respect this directive. 278123 2016-05-04 13:40:35 -0700 2016-05-04 13:40:35 -0700 form-action blocked test file form-action-src-blocked.html text/html 482 webkit.bugzilla PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1T ZWN1cml0eS1Qb2xpY3kiIGNvbnRlbnQ9ImZvcm0tYWN0aW9uICdub25lJyI+CjwvaGVhZD4KPGJv ZHk+CiAgICA8Zm9ybSBhY3Rpb249Jy4vJyBpZD0ndGhlZm9ybScgbWV0aG9kPSdwb3N0Jz4KICAg ICAgICA8aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0nZmllbGRuYW1lJyB2YWx1ZT0nZmllbGR2YWx1 ZSc+CiAgICAgICAgPGlucHV0IHR5cGU9J3N1Ym1pdCcgaWQ9J3N1Ym1pdCcgdmFsdWU9J3N1Ym1p dCc+CiAgICA8L2Zvcm0+CiAgICA8cD5UZXN0cyB0aGF0IGJsb2NraW5nIGZvcm0gYWN0aW9ucyB3 b3JrcyBjb3JyZWN0bHkuIElmIHRoaXMgdGVzdCBwYXNzZXMsIHlvdSB3aWxsIHNlZSBhIGNvbnNv bGUgZXJyb3IsIGFuZCB3aWxsIG5vdCBzZWUgYSBwYWdlIGluZGljYXRpbmcgYSBmb3JtIHdhcyBQ T1NUZWQuPC9wPgo8L2JvZHk+CjwvaHRtbD4=