Reputation: 1968
Content Security Policy not allowing form submission
Please I need assistance here. I have a form to submit to another url but when I try to submit it, it refuses to submit and I was checking my console.
On Chrome, I see the following errors
resources2.aspx?HCCID=75694719&culture=en-US&mlcv=3006&template=5:7 Refused to load the image 'https://s4.mylivechat.com/livechat2/images/sprite.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".
Refused to send form data to 'https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx' because it violates the following Content Security Policy directive: "form-action 'self'".
and on Mozilla Firefox I see the following:
Content Security Policy: The page’s settings blocked the loading of a resource at https://s4.mylivechat.com/livechat2/images/sprite.png (“img-src http://smehelp.themarketplace.ng data:”)
Content Security Policy: The page’s settings blocked the loading of a resource at http://smehelp.themarketplace.ng/purchase/summary (“form-action 'self'”).
Checking around the web for solution, I have added the following to my page header
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">
but the problem still persists.
This results in the fact that I am not able to submit my forms. Earlier, the forms used to get submitted, but I just tried it today and observed this error.
I am running on Google Chrome Version 55.0.2883.95 (64-bit) on a MAC OS.
I will appreciate any suggestion to solve this issue as soon as possible.
Thank you
Upvotes: 16
Views: 51056
Answers (2)
Reputation: 2501
If you look here because you want to send a form to the same URL (which should be possible with form-action 'self') or another URL listed in your form-action rule, but redirect afterwards, the following could be the cause https://github.com/w3c/webappsec-csp/issues/8 (including a long discussion). One reason is: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
The reason why the target url of the redirect is not visible in the CSP report (which is really confusing) is a security issue, see https://w3c.github.io/webappsec-csp/#create-violation-for-request, it would otherwise be possible to analyse the behaviour of form endpoints.
tl:dr; Chrome and Safari do not allow redirects after submitting a form unless the destination URL is listed in the form-action CSP rule, even if it is a GET redirect that does not contain the original form data.
Upvotes: 11
Reputation: 5819
You are passing the Content-Security-Policy value in your response header:
base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline'
The content security policy that you've added to the page meta will be ignored as this is present in the response header.
You will need to make the following additions (in bold) to your CSP that you are sending in your response header.
base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self' https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx; frame-ancestors 'none'; img-src 'self' data: https://s4.mylivechat.com; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline';
- Add https://s4.mylivechat.com to img-src
- Add https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx to form-action
- Remove
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">from your HTML code
Upvotes: 6
Related Questions
- disabling Content Security Policy
- Content security policy including a script
- form-action CSP blocking allowed URL
- Violates the following Content Security Policy directive
- Content-Security-Policy errors in Firefox and Chrome
- HTML form with no action (+ CSP rule no inline javascript)
- Content Security Policy preventing javascript form to submit to php server
- Not able to submit form in chrome through javascript
- google chrome not submitting form (js errors?)
- Content-Security-Policy error?