RESOLVED DUPLICATE of bug 154520 157355
Content Security Policy form-action directive is ignored 
https://bugs.webkit.org/show_bug.cgi?id=157355
Summary Content Security Policy form-action directive is ignored
Ilya Nesterov
Reported 2016-05-04 13:40:35 PDT
Created attachment 278123 [details] form-action blocked test file Steps to reproduce: Create a test page with a form which submits data somewhere. Add to a page <meta http-equiv="Content-Security-Policy" content="form-action 'none'"> into <head>. Load page and submit the form. Form action should be blocked, but it is not. Alternatively use attached test file. Load attached "form-action-src-blocked.html" in a browser and click "Submit" button. You can also reproduce the issue if Content Security Policy delivered via content-security-policy http header. (You need to remove "<meta http-equiv="Content-Security-Policy" content="form-action 'none'"> from attached file, and adjust your http server settings to add "Content-Security-Policy: form-action 'none'" header to response) Actual results: Form successfully submitted Expected results: Form submit should be blocked. (Open the same file in Chrome)
Attachments
form-action blocked test file (482 bytes, text/html)
2016-05-04 13:40 PDT, Ilya Nesterov 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-07-13 10:27:44 PDT
<rdar://problem/27326202>
Daniel Bates
Comment 2 2016-11-17 11:48:58 PST
*** This bug has been marked as a duplicate of bug 154520 ***
Daniel Bates
Comment 3 2016-11-17 11:50:52 PST
The directive form-action was enabled by default in Safari 10. That is, Safari 9 did not respect this directive.
Note You need to log in before you can comment on or make changes to this bug.