3

I need to relax the CSP (Content Security Policy) in Chrome to enable a redirect with some get parameters to the Azure login page. When processing such redirects Chrome applies policy restrictions related to form submissions. The default policy in such cases amounts to

<meta http-equiv="Content-Security-Policy" content="form-action 'self' javascript:"/>

In this case the redirect to https://login.microsoftonline.com/... wont' work. The MDN says that you can expand the list of allowed destinations, which I tried like so:

<meta http-equiv="Content-Security-Policy" content="form-action 'self' https://*.microsoftonline.com javascript:"/>

It appears to have no effect at all as still get the same error on the console:

Refused to send form data to 'https://login.microsoftonline.com' because it violates the following Content Security Policy directive: "form-action 'self' javascript:"

Note also that playing with the order of the attributes or removing the javascript: part does help. However, removing the self part is evidently paid some attention to by Chrome as in this case I'm not able to send data back to the origin. It is almost like they let you tighten up the policy but not relax it. Any help will be greatly appreciated.

Alex
  • 210
  • 2
  • 13
  • 1
    *“It is almost like they let you tighten up the policy but not relax it.”* — Yes, that’s exactly how it works; see the answer at https://stackoverflow.com/a/51153816/441757 – sideshowbarker Dec 29 '18 at 09:52
  • @sideshowbarker The question you are referring to describes a different situation: some resources are given by a meta tag in the document and some in the response header. In my case I use a list of resources in the single meta tag. It is allowed according to the syntax in the MDN article. – Alex Dec 29 '18 at 15:37

2 Answers2

0

Do not include the protocol (https) and i think it will work

Teo Sibileau
  • 294
  • 2
  • 5
-1

I think that it is caused because form-action (according to the documentation):

The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context.

Maybe you could try the default-src directive:

default-src

The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives.

Hope it helps!

Community
  • 1
  • 1
Itay Podhajcer
  • 2,616
  • 2
  • 9
  • 14
  • I did before I've even posted this. Along with several other combinations of attributes. No avail. But thanks anyway. – Alex Dec 31 '18 at 17:32
  • 4
    `form-action` does not fall back to `default-src`. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action – ahong May 12 '20 at 08:17