Form-action: data

[Sora2455]

I'm occasionally getting violation reports from Opera and Chrome saying that someone is setting their form-action to a data URL:

{ "csp-report": { "document-uri": [SITE URL], "effective-directive": "form-action", "original-policy": "default-src [SITE URL]; style-src https: 'unsafe-inline'; img-src data: blob: https:; frame-src ; child-src blob:; worker-src 'self' blob:; script-src https: 'unsafe-inline' 'report-sample' 'self' 'strict-dynamic' 'nonce-[removed]'; object-src 'none'; form-action [SITE URL]; report-uri [SITE URL]; report-to csproReportEndpoint;", "blocked-uri": "data" } }

Does this make any sense to anyone?

[MaceWindu]

That's interesting. I can see that such form actions are supported, but not sure who and why will use them: https://www.w3.org/TR/html50/forms.html#submit-data-post

Would suspect some plugin tries to replace your page with file, provided by "data:" url on form submit.

According to https://stackoverflow.com/questions/45493234/jspdf-not-allowed-to-navigate-top-frame-to-data-url it shouldn't work anyways in chrome