CSP: form-action

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of form submissions from a given context.

Warning: Whether form-action should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g. Firefox 57 doesn't block the redirects whereas Chrome 63 does).

CSP version 2
Directive type Navigation directive
default-src fallback No. Not setting this allows anything.

Syntax

http
Content-Security-Policy: form-action 'none';
Content-Security-Policy: form-action <source-expression-list>;

This directive may have one of the following values:

'none'

No form submissions may be made. The single quotes are mandatory.

<source-expression-list>

A space-separated list of source expression values. Form submissions may be made to URLs that match any of the given source expressions. For this directive, the following source expression values are applicable:

Examples

Meta tag configuration

html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />

Apache configuration

apacheconf
<IfModule mod_headers.c>
  Header set Content-Security-Policy "form-action 'none';"
</IfModule>

Nginx configuration

nginx
add_header Content-Security-Policy "form-action 'none';"

Violation case

Using a <form> element with an action set to inline JavaScript will result in a CSP violation.

html
<meta http-equiv="Content-Security-Policy" content="form-action 'none'" />

<form action="javascript:alert('Foo')" id="form1" method="post">
  <input type="text" name="fieldName" value="fieldValue" />
  <input type="submit" id="submit" value="submit" />
</form>

<!--
// Error: Refused to send form data because it violates the following
// Content Security Policy directive: "form-action 'none'".
-->

Specifications

Specification
Content Security Policy Level 3
# directive-form-action

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
form-action
Redirects are blocked after a form submission
Non-standard

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support
No support
No support
Non-standard. Check cross-browser support before using.

See also