CSP: form-action

翻译正在进行中。

HTTP Content-Security-Policy (CSP) 的 form-action 指令能够限定当前页面中表单的提交地址。

在表单提交之后, form-action 指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63会阻止重定向,而Firefox 57则不会)。

CSP version 2
Directive type Navigation directive
default-src fallback No. 未设定时允许任何值.

语法

form-action 策略允许设定一个或多个源:

Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;

示例

meta标签配置

<meta http-equiv="Content-Security-Policy" content="form-action 'none'">

Apache服务器配置

<IfModule mod_headers.c> 
Header set Content-Security-Policy "form-action 'none';
</IfModule>

Nginx配置

add_header Content-Security-Policy "form-action 'none';"

反例

<form> 元素的action设置为内联 JavaScript 会违反CSP规则。

<meta http-equiv="Content-Security-Policy" content="form-action 'none'">

<form action="javascript:alert('Foo')" id="form1" method="post"> 
  <input type="text" name="fieldName" value="fieldValue"> 
  <input type="submit" id="submit" value="submit"> 
</form>

// Error: Refused to send form data because it violates the following 
// Content Security Policy directive: "form-action 'none'".

规范

Specification Status Comment
Content Security Policy Level 3
form-action
Working Draft No changes.
Content Security Policy Level 2
form-action
Recommendation Initial definition.

浏览器兼容性

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
form-actionChrome Full support 40Edge Full support 15Firefox Full support 36IE No support NoOpera Full support 27Safari Full support 10WebView Android Full support YesChrome Android Full support YesFirefox Android Full support 36Opera Android ? Safari iOS Full support 9.3Samsung Internet Android Full support Yes

Legend

Full support  
Full support
No support  
No support
Compatibility unknown  
Compatibility unknown

参见

文档标签和贡献者

此页面的贡献者: feiyuerenhai
最后编辑者: feiyuerenhai,