Created attachment 278123 [details] form-action blocked test file Steps to reproduce: Create a test page with a form which submits data somewhere. Add to a page <meta http-equiv="Content-Security-Policy" content="form-action 'none'"> into <head>. Load page and submit the form. Form action should be blocked, but it is not. Alternatively use attached test file. Load attached "form-action-src-blocked.html" in a browser and click "Submit" button. You can also reproduce the issue if Content Security Policy delivered via content-security-policy http header. (You need to remove "<meta http-equiv="Content-Security-Policy" content="form-action 'none'"> from attached file, and adjust your http server settings to add "Content-Security-Policy: form-action 'none'" header to response) Actual results: Form successfully submitted Expected results: Form submit should be blocked. (Open the same file in Chrome)
<rdar://problem/27326202>
*** This bug has been marked as a duplicate of bug 154520 ***
The directive form-action was enabled by default in Safari 10. That is, Safari 9 did not respect this directive.