CSP: form-action
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
HTTP Content-Security-Policy (CSP) 的 form-action 指令能够限定当前页面中表单的提交地址。
警告:在表单提交之后, form-action 指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63 会阻止重定向,而 Firefox 57 则不会)。
| CSP version | 2 |
|---|---|
| Directive type | Navigation directive |
default-src fallback |
No. 未设定时允许任何值。 |
语法
form-action 策略允许设定一个或多个源:
Content-Security-Policy: form-action <source>; Content-Security-Policy: form-action <source> <source>;
示例
meta 标签配置
html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />
Apache 服务器配置
bash
<IfModule mod_headers.c>
Header set Content-Security-Policy "form-action 'none';
</IfModule>
Nginx 配置
bash
add_header Content-Security-Policy "form-action 'none';"
反例
将 <form> 元素的 action 设置为内联 JavaScript 会违反 CSP 规则。
html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />
<form action="javascript:alert('Foo')" id="form1" method="post">
<input type="text" name="fieldName" value="fieldValue" />
<input type="submit" id="submit" value="submit" />
</form>
<!-- Error: Refused to send form data because it violates the following Content Security Policy directive: "form-action 'none'". -->
规范
| Specification |
|---|
| Content Security Policy Level 3 # directive-form-action |
浏览器兼容性
BCD tables only load in the browser