{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) form
-action
directive restricts the URLs which can be used as the target of a form submissions from a given context.
CSP version | 2 |
---|---|
Directive type | {{Glossary("Navigation directive")}} |
{{CSP("default-src")}} fallback | No. Not setting this allows anything. |
Syntax
One or more sources can be set for the form-action
policy:
Content-Security-Policy: form-action <source>; Content-Security-Policy: form-action <source> <source>;
Sources
{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Examples
Meta tag configuration
<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
Apache configuration
<IfModule mod_headers.c> Header set Content-Security-Policy "form-action 'none'; </IfModule>
Nginx configuration
add_header Content-Security-Policy "form-action 'none';"
Violation case
Using a {{HTMLElement("form")}} element with an action set to inline JavaScript will result in a CSP violation.
<meta http-equiv="Content-Security-Policy" content="form-action 'none'"> <form action="javascript:alert('Foo')" id="form1" method="post"> <input type="text" name="fieldName" value="fieldValue"> <input type="submit" id="submit" value="submit"> </form> // Error: Refused to send form data because it violates the following // Content Security Policy directive: "form-action 'none'".
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("CSP 3.0", "#directive-form-action", "form-action")}} | {{Spec2('CSP 3.0')}} | No changes. |
{{specName("CSP 1.1", "#directive-form-action", "form-action")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat("http/headers/content-security-policy", "form-action")}}
See also
- {{HTTPheader("Content-Security-Policy")}}
- {{HTMLElement("form")}}