Contrib.social

Refused to send form data on password reset with 'self'

Open on Drupal.org →
Created on 26 May 2025, 12 days ago

Problem/Motivation

When trying to reset the password on my website I get this error:
Refused to send form data to 'https://xxxxxxx.online/user/password' because it violates the following Content Security Policy directive: "form-action 'self'".

I'm working on a multi-domain website, but 'self' should cover that right? I also tried adding the domain directly but that didn't solve it either...what am I missing here?

💬 Support request
Status

Active

Version

2.0

Component

Code

Created by

🇳🇱Netherlands zebda

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @zebda
  • Comment 12 days ago
    🇨🇦Canada gapple

    If your form's action attribute uses a relative url (action="/user/password") then 'self' should be fine,
    but for an absolute URL (action="https://sso.example.com/user/password") the domain of the form target would need match the page's current domain.
    (Protocol also matters - submitting from https to http would be blocked as well - but I assume from your description all domains are served via https). 'self' is interpreted by the browser, which has no knowledge of separate sites/domains being served by the same codebase or being otherwise connected.

    Allowing just the top-level domain does not allow its subdomains: e.g. adding example.com to your policy will not allow sso.example.com.
    It also applies in the other direction: the host pattern *.example.com would not allow the TLD example.com
    To allow both the TLD and any of its subdomains (to any depth), you would need to include both example.com and the wildcard host pattern *.example.com in your policy.

    https://www.w3.org/TR/CSP3/#match-hosts

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024