HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) 的 form-action 指令能够限定当前页面中表单的提交地址。
在表单提交之后, form-action 指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63会阻止重定向,而Firefox 57则不会)。
| CSP version | 2 |
|---|---|
| Directive type | {{Glossary("Navigation directive")}} |
| {{CSP("default-src")}} fallback | No. 未设定时允许任何值. |
form-action 策略允许设定一个或多个源:
Content-Security-Policy: form-action <source>; Content-Security-Policy: form-action <source> <source>;
<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
<IfModule mod_headers.c> Header set Content-Security-Policy "form-action 'none'; </IfModule>
add_header Content-Security-Policy "form-action 'none';"
将 {{HTMLElement("form")}} 元素的action设置为内联 JavaScript 会违反CSP规则。
<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
<form action="javascript:alert('Foo')" id="form1" method="post">
<input type="text" name="fieldName" value="fieldValue">
<input type="submit" id="submit" value="submit">
</form>
// Error: Refused to send form data because it violates the following
// Content Security Policy directive: "form-action 'none'".
| Specification | Status | Comment |
|---|---|---|
| {{specName("CSP 3.0", "#directive-form-action", "form-action")}} | {{Spec2('CSP 3.0')}} | No changes. |
| {{specName("CSP 1.1", "#directive-form-action", "form-action")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
{{Compat("http.headers.csp.form-action")}}