Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Form-action: data #80

Open
Sora2455 opened this issue Jul 22, 2019 · 1 comment
Open

Form-action: data #80

Sora2455 opened this issue Jul 22, 2019 · 1 comment

Comments

@Sora2455
Copy link

I'm occasionally getting violation reports from Opera and Chrome saying that someone is setting their form-action to a data URL:

{
"csp-report": {
"document-uri": [SITE URL],
"effective-directive": "form-action",
"original-policy": "default-src [SITE URL]; style-src https: 'unsafe-inline'; img-src data: blob: https:; frame-src *; child-src * blob:; worker-src 'self' blob:; script-src https: 'unsafe-inline' 'report-sample' 'self' 'strict-dynamic' 'nonce-[removed]'; object-src 'none'; form-action [SITE URL]; report-uri [SITE URL]; report-to csproReportEndpoint;",
"blocked-uri": "data"
}
}

Does this make any sense to anyone?
@MaceWindu
Copy link
Contributor

MaceWindu commented Aug 17, 2019
edited
Loading

That's interesting. I can see that such form actions are supported, but not sure who and why will use them: https://www.w3.org/TR/html50/forms.html#submit-data-post

Would suspect some plugin tries to replace your page with file, provided by "data:" url on form submit.

According to https://stackoverflow.com/questions/45493234/jspdf-not-allowed-to-navigate-top-frame-to-data-url it shouldn't work anyways in chrome

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MaceWindu @Sora2455