Form-action: data

[Sora2455]

I'm occasionally getting violation reports from Opera and Chrome saying that someone is setting their form-action to a data URL:

{
"csp-report": {
"document-uri": [SITE URL],
"effective-directive": "form-action",
"original-policy": "default-src [SITE URL]; style-src https: 'unsafe-inline'; img-src data: blob: https:; frame-src *; child-src * blob:; worker-src 'self' blob:; script-src https: 'unsafe-inline' 'report-sample' 'self' 'strict-dynamic' 'nonce-[removed]'; object-src 'none'; form-action [SITE URL]; report-uri [SITE URL]; report-to csproReportEndpoint;",
"blocked-uri": "data"
}
}

Does this make any sense to anyone?

[MaceWindu]

That's interesting. I can see that such form actions are supported, but not sure who and why will use them: https://www.w3.org/TR/html50/forms.html#submit-data-post

Would suspect some plugin tries to replace your page with file, provided by "data:" url on form submit.

According to https://stackoverflow.com/questions/45493234/jspdf-not-allowed-to-navigate-top-frame-to-data-url it shouldn't work anyways in chrome