Reputation: 1562
form-action CSP blocking allowed URL
Login form is blocked by CSP and I don't understand why
Chrome Version 94.0.4606.61
Error message :
Refused to send form data to 'https://subdomain.mydomain.com/login/local' because it violates the following Content Security Policy directive: "form-action 'self' https: *.mydomain.com".
No problem with firefox
Upvotes: 9
Views: 7053
Answers (1)
Reputation: 8496
This is because during login you perform a redirect through the host-source whose is not allowed in the form-action directive (the port, the scheme, domain/subdomain name does not match).
When redirecting, the CSP checks the entire chain of sources, but browsers have differences in the behavior of form-action for redirects:
Chrome/Safari consider a redirect when submitting a form to be potentially dangerous, since sensitive user data can be redirected to an attacker's domain. Therefore, they block redirection if host-source (domain) not allowed in the
form-actionsare participate in the chain of redirects.Firefox believes that the server redirect is under the control of the owner of the page protected in CSP. Therefore, during redirect it allows you to send the form during redirect even to third-party domains.
Note 1. 'self' means exact scheme://domain:port from the Url in the address bar. Therefore CSP:
form-action 'self' https: *.mydomain.com
In case Url is
HTTPS://subdomain.mydomain.comthe above CSP is becomeform-action HTTPS://subdomain.mydomain.com https: HTTPS://*.mydomain.comwhis is equal toform-action https:- it allows anything excepthttp:-Urls.In case Url is
HTTP://subdomain.mydomain.com, the above CSP is becomeform-action HTTP://subdomain.mydomain.com https: HTTP://*.mydomain.comand it does not allow a main domainmydomain.com.
Note 2. The Url https://subdomain.mydomain.com/login/local in the message:
Refused to send form data to 'https://subdomain.mydomain.com/login/local' because it violates ...`
is not Url really blocked by Chrome. This is just the first Url in the redirect chain.
Note 3. If CSP, after all, blocks the allowed domain, it is most likely that it's interference of browser extensions such as NoScript/uBlock/AdBlock/PrivacyBadger, etc. interfere.
Upvotes: 15
Related Questions
- Chrome not reporting CSP violations
- Content-Security-Policy : directive 'form-action' contains the keyword 'none'
- Content Security Policy not allowing form submission
- Chrome ignoring CSP (Content Security Policy) affecting Browser Link on ASP.NET application using .NET Core
- Content Security Policy: resource blocked but CSP is configured to allow it
- Content Security Policy is Blocking URI in Allowed Domain
- Content Security Policy violation event is not triggered
- Why is my resource getting blocked even though I allowed it specifically in the CSP declaration?
- CSP: frame-src violation with empty blocked-uri
- Why would I get a CSP warning where blocked-uri is an empty string?