21
edits
Talk:Security/CSP/Spec: Difference between revisions
→form-action Directive? (OPEN)
| Line 170: | Line 170: | ||
Forms were not covered by the "allow" directive since there's user interaction required to submit the form; this is the same reason links to external sites aren't stopped by CSP. Any requests caused automatically by the page's load (dependent load requests) are subject to CSP, but if the user wishes to navigate away from the page, they're allowed. | Forms were not covered by the "allow" directive since there's user interaction required to submit the form; this is the same reason links to external sites aren't stopped by CSP. Any requests caused automatically by the page's load (dependent load requests) are subject to CSP, but if the user wishes to navigate away from the page, they're allowed. | ||
-[[User:Sidstamm|Sid]] | -[[User:Sidstamm|Sid]] | ||
Ok. Thats a very nice clear cut view -'anything without user interactions has CSP applied to it, without doesn't'. I am stupid and I didn't understand this from the spec - maybe you can add that somewhere appropriate ? | |||
Additionally, in this scenario, while I do understand where you are coming from - there is a difference between links and forms. In links more often than not, you(user) know where you are going to. In forms unfortunately there is no indication in current UI of where the form data is going. So although there is user interaction in a form submission, whether user intent is there or not, is not clear. As such, I think forms should be covered by allow directive. If not, then a form-src also makes sense. --duryodhan | |||
== <tt>frame-src</tt> Consistent Across Navigation == | == <tt>frame-src</tt> Consistent Across Navigation == | ||