CSP: form-action

这篇翻译不完整。请帮忙从英语翻译这篇文章

HTTP Content-Security-Policy (CSP) 的 form-action 指令能够限定当前页面中表单的提交地址。

在表单提交之后, form-action 指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63会阻止重定向,而Firefox 57则不会)。

CSP version 2
Directive type Navigation directive
default-src fallback No. 未设定时允许任何值.

语法

form-action 策略允许设定一个或多个源:

Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;

示例

meta标签配置

<meta http-equiv="Content-Security-Policy" content="form-action 'none'">

Apache服务器配置

<IfModule mod_headers.c> 
Header set Content-Security-Policy "form-action 'none';
</IfModule>

Nginx配置

add_header Content-Security-Policy "form-action 'none';"

反例

<form> 元素的action设置为内联 JavaScript 会违反CSP规则。

<meta http-equiv="Content-Security-Policy" content="form-action 'none'">

<form action="javascript:alert('Foo')" id="form1" method="post"> 
  <input type="text" name="fieldName" value="fieldValue"> 
  <input type="submit" id="submit" value="submit"> 
</form>

// Error: Refused to send form data because it violates the following 
// Content Security Policy directive: "form-action 'none'".

规范

Specification Status Comment
Content Security Policy Level 3
form-action
Working Draft No changes.
Content Security Policy Level 2
form-action
Recommendation Initial definition.

浏览器兼容性

No compatibility data found. Please contribute data for "http.headers.csp.form-action" (depth: 1) to the MDN compatibility data repository.

参见

文档标签和贡献者

此页面的贡献者: feiyuerenhai
最后编辑者: feiyuerenhai,