Form action set as insecure by google chrome.

[AlbertSabate]

Fixes issue #349

When accessing a website with https, the forms action="" that are not https:// are set as insecure by Google Chrome Google Chrome Docs.

The new form action on @solidjs/router renders the markup like this:

<form method="post" action="action:signUpForm">...</form>

This PR changes the action to:

<form method="post" action="https://action/signUpForm">...</form>

Preventing Google Chrome from seeing the action as unsafe.

[ryansolid]

Hmm.. only thing I'm wondering is if we are lying here if the protocol for the site isn't https.. Then again this whole thing is a lie in a sense as we never actually submit the form. I'm just wondering if we just used /action without the https would this still work on an https site.

I guess the biggest issue there would be eliminating the base URL. Or I guess using the attribute value instead of the property value.

I can merge the PR and play with it. I guess there is no easy way to test this locally.

[AlbertSabate]

Hello @ryansolid,

I can make that change, no worries; I got the setup done already.

My only concern for this approach is a conflict if another dev implements a route starting with /action/, which will probably conflict with the handleFormSubmit. There is this condition: if (!actionRef.startsWith("/action/")) {

Another approach is to detect the protocol and use it accordingly, but I'm unsure if it is necessary as http and form https or http will not show as insecure.

Let me know your thoughts about this, and I amend it accordingly.

[ryansolid]

Yeah.. this is unlikely to conflict. We'd need to come up with a unique pathname to do this .. more unique than actions.

Yeah, no this probably fine as is. I am in general disappointed we could use the protocol the way I originally intended as it is basically a no-op on failure but this will be fine.