Having trouble finding an answer to this. If I set the CSP "upgrade-insecure-requests" header on a page will it upgrade form actions? The MDN docs on the topics say "non-navigational insecure resource requests" are upgraded, but it's not clear if form actions count.
Asked
Active
Viewed 273 times
2
-
2Form actions will be upgraded, even if they’re cross-origin. See the section of the spec at https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request — *“We will not upgrade cross-origin navigation requests, with the exception of form submissions. Form submissions will be upgraded to mitigate the risk of data leakage via plaintext submissions.”* – sideshowbarker Jun 12 '20 at 23:50