I don't remember the rationale behind form-action without looking it up but I suspect it was rather more the fact that default-src doesn't block navigations. Submitting forms is more like navigating than loading resources into a document. Breakage definitely was not the rationale behind frame-ancestors. That directive describes the embedding context (like the sandbox directive) and has nothing to do with resources loaded by that document. So far we've worked to give directives "-src" names if they're going to be controlled by default-src. -Dan VeditzReceived on Friday, 1 April 2016 00:05:48 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC