HTTP Content-Security-Policy
(CSP) 的 form
-action
指令能够限定当前页面中表单的提交地址。
在表单提交之后, form-action
指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63会阻止重定向,而Firefox 57则不会)。
CSP version | 2 |
---|---|
Directive type | Navigation directive |
default-src fallback |
No. 未设定时允许任何值. |
语法
form-action
策略允许设定一个或多个源:
Content-Security-Policy: form-action <source>; Content-Security-Policy: form-action <source> <source>;
示例
meta标签配置
<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
Apache服务器配置
<IfModule mod_headers.c>
Header set Content-Security-Policy "form-action 'none';
</IfModule>
Nginx配置
add_header Content-Security-Policy "form-action 'none';"
反例
将 <form>
元素的action设置为内联 JavaScript 会违反CSP规则。
<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
<form action="javascript:alert('Foo')" id="form1" method="post">
<input type="text" name="fieldName" value="fieldValue">
<input type="submit" id="submit" value="submit">
</form>
// Error: Refused to send form data because it violates the following
// Content Security Policy directive: "form-action 'none'".
规范
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 form-action |
Working Draft | No changes. |
Content Security Policy Level 2 form-action |
Recommendation | Initial definition. |
本页面的兼容性列表由结构化数据生成,如果你想完善这些数据,请移步 https://github.com/mdn/browser-compat-data 并向我们发起pull request。