Add support for form-action CSP directive

Created on 8 January 2018, over 7 years ago

Updated 25 July 2023, over 1 year ago

As detailed in this blog post, failing to set the form-action CSP directive can lead to data being sent to unauthorizeddomains.

If some rogue JS executes on a page with a form, that JS could be used to change the form's action attribute to evil.com, for example.
Adding the ability to set the form-action CSP directive would prevent form submission in this scenario.

✨ Feature request

Status

Active

Version

1.0

Component

Code

Created by

🇺🇸United States milodesc

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇬🇧United Kingdom the_g_bomb
Updated URL for the relevant blog post:
https://david-gilbertson.medium.com/im-harvesting-credit-card-numbers-an...
I think it may no longer be available on hackernoon even though it still shows up in the search results

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024