Add support for form-action CSP directive [#2935167]

As detailed in this blog post, failing to set the form-action CSP directive can lead to data being sent to unauthorizeddomains.

If some rogue JS executes on a page with a form, that JS could be used to change the form's action attribute to evil.com, for example.
Adding the ability to set the form-action CSP directive would prevent form submission in this scenario.

Comment	File	Size	Author
#2	2935167-add-support-for-form-action.patch	1.12 KB	melonangie

Comments

Comment #1

8 January 2018 at 15:36

milodesc created an issue. See original summary.

Comment #2

melonangie commented 31 May 2022 at 09:16

Status	File	Size
new	2935167-add-support-for-form-action.patch	1.12 KB

Comment #3

the_g_bomb commented 25 July 2023 at 10:23

Updated URL for the relevant blog post:
https://david-gilbertson.medium.com/im-harvesting-credit-card-numbers-an...
I think it may no longer be available on hackernoon even though it still shows up in the search results

Comment #4

the_g_bomb commented 4 January 2026 at 16:29

Status:

Active

» Closed (duplicate)

Closing as a duplicate of #3219294: Add form-action directive

Comment #5

4 January 2026 at 16:29

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Add support for form-action CSP directive

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community