When A CSP policy blocks a form redirect, dev tools show the request as pending
Reported by
gabe.cas...@uphabit.com,
Jul 27
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce the problem: 1. Visit a website with a form that is a get to the same origin, and a CSP policy of form-action 'self' 2. Have the response to that form be a 302 Found to a different origin What is the expected behavior? The network tab of the dev tools should show 2 requests 1. The form request completed as with a status 302, and all the relevant data 2. A request to the redirected origin with a status of (blocked:csp) There is a console error showing Refused to send form data to '<OTHER ORIGIN>' because it violates the following Content Security Policy directive: "form-action 'self'". What went wrong? Instead it shows the form request as being stuck pending, and dose show the console error Did this work before? N/A Chrome version: 67.0.3396.99 Channel: n/a OS Version: OS X 10.13.6 Flash Version:
,
Jul 27
,
Sep 18
|
|||
►
Sign in to add a comment |
|||
Comment 1 by caseq@google.com
, Jul 27Status: Assigned (was: Unconfirmed)