Content security policy: allows form hijacking
Description: Content security policy: allows form hijacking
Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting attacks by disabling dangerous behaviours such as untrusted JavaScript execution. Websites can specify their security policy in a response header or meta tag, enabling fine-grained control over dangerous features like scripts and stylesheets.
Remediation: Content security policy: allows form hijacking
We recommend using the form-action directive in the CSP response header to control form post destinations. If no form actions are used, set form-action to 'none' to block untrusted forms. For applications without external form URLs, use 'self' to allow only same-origin URLs. If needed, allow list hosts for external URL form submissions, but be aware this lets attackers submit to these external resources.
References
- PortSwigger Research: Stealing passwords from infosec Mastodon - without bypassing CSP
- Web Security Academy: What is CSP?
- Content Security Policy (CSP)
Vulnerability classifications
Typical severity
Information
Type index (hex)
0x00200508
Type index (decimal)
2098440