CSP error with newsletter signup form ("form-action 'none'")

[pdehaan]

Found in https://testpilot.stage.mozaws.net/__version__ ():

{ "commit": "e42d9cb5ec4e75f45fe6123ade507bce14037fea",
  "version": "2016-11-29-1",
  "source": "https://github.com/mozilla/testpilot" }

---

Steps to reproduce:

1. Go to https://testpilot.stage.mozaws.net/
2. Open your DevTools console.
3. Scroll down to the newsletter signup form.
4. Enter your name.
5. Click the "Sign Up Now" button.

Actual results:

DevTools console says:

Content Security Policy: The page’s settings blocked the loading of a resource at https://testpilot.stage.mozaws.net/ (“form-action 'none'”).

Looks legit, I don't see an action or method on that <form> element:

<form class="newsletter-form">
  <input required="" data-l10n-id="newsletterFormEmailPlaceholder" placeholder="Your email here" value="peter" type="email">
  <label class="revealed-field reveal" for="privacy">
    <input name="privacy" required="" value="on" type="checkbox">
    <span data-l10n-id="newsletterFormPrivacyNotice">I'm okay with Mozilla handling my info as explained in <a href="/privacy">this privacy notice</a>.</span>
  </label>
  <button data-l10n-id="newsletterFormSubmitButton">Sign Up Now</button>
  <p class="disclaimer revealed-field reveal" data-l10n-id="newsletterFormDisclaimer">We will only send you Test Pilot-related information.</p>
</form>

[johngruen]

I'll investigate this

[johngruen]

@fzzzy thinks we should allow form-action=none to CSP