Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set the form-action directive in the report-only CSP #15554

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set the form-action directive in the report-only CSP #15554

wants to merge 1 commit into from

Conversation

robhudson
Copy link
Member

Summary

This PR introduces the form-action directive to the report-only Content Security Policy (CSP) header. The goal is to test and evaluate its compatibility before eventually applying it to the enforced CSP header. The form-action directive restricts where forms on the site can send their data upon submission, adding an additional layer of security to prevent potential vulnerabilities.

Why form-action is Important for Security

The form-action directive is a key security measure designed to mitigate attacks that exploit form submissions, such as:

  • Phishing and data exfiltration attacks: Prevents malicious actors from redirecting form submissions to unauthorized or external servers.
  • Clickjacking: Works in tandem with other CSP directives to ensure that embedded forms are protected.
  • Cross-site scripting (XSS) risks: Reduces the attack surface by limiting submission endpoints, even if an attacker manages to inject a form.

By specifying trusted domains or paths for form submissions, form-action ensures that forms behave only as intended and cannot be abused for unauthorized data capture.

Next Steps

  1. Deploy the change and monitor CSP violation reports for any issues related to form-action.
  2. Refine the directive based on findings from the report-only stage.
  3. Once confident, apply the directive to the enforced CSP header to fully benefit from its security enhancements.

References

Issue / Bugzilla link

#15553 (from #11943)

Testing

  • Verify the addition of the form-action directive in the report-only CSP header locally.
    • To do this we need to set a couple local env vars:
      • DEBUG=False - CSP headers aren't added while in DEBUG mode
      • CSP_RO_REPORT_URI=/csp-violation - the report-only header will only be added if this is set.

@robhudson robhudson requested a review from a team as a code owner November 22, 2024 23:26
@codecov Codecov
Copy link

codecov bot commented Nov 22, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.96%. Comparing base (33115aa) to head (572113c).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #15554   +/-   ##
=======================================
  Coverage   78.95%   78.96%           
=======================================
  Files         158      158           
  Lines        8293     8294    +1     
=======================================
+ Hits         6548     6549    +1     
  Misses       1745     1745

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@robhudson robhudson changed the title Set the form-action direction in the report-only CSP Set the form-action directive in the report-only CSP Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@robhudson