Currently the Content Security Policy form-action directive is guarded by ENABLE(CSP_NEXT) and a runtime flag, both are disabled by default. This directive has been part of the Content Security Policy spec. since version 1.1 and other browsers, Google Chrome, have enabled it by default for some time. We should enable it by default.
Created attachment 271889 [details]
Committed r196892: <http://trac.webkit.org/changeset/196892>
*** Bug 157355 has been marked as a duplicate of this bug. ***