Restrict form-action CSP directive

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Our current form-action CSP isn't restrictive at all and allows any HTTP and HTTPS URL https://gitlab.com/gitlab-org/gitlab/-/blob/f7281682d3fe94261c2a7d6a2846cf379cda26c8/lib/gitlab/content_security_policy/config_loader.rb#L43

This can be used to bypass CSP as demonstrated in https://portswigger.net/research/using-form-hijacking-to-bypass-csp

We need to scope it down to the minimal set of URLs we need to post forms to. form-action 'self' should cover most use cases but we possibly POST forms to customers.gitlab.com, Jira, GCP/AWS and other such providers in integrations so we will need to analyze our current usage before rolling out a strict allow-list.

Edited Jul 02, 2025 by Dominic Couture