fix(mcp): restrict sandbox form submissions to the declared egress

form-action does not fall back to default-src, so with the inner iframe created
allow-forms a script could submit a hidden form to any origin and bypass the
connectDomains deny-by-default egress policy. The generated sandbox CSP now sets
form-action to the same declared connect allowlist ('none' when none is set).
This commit is contained in:
Dustin Healy 2026-06-24 08:30:06 -07:00
parent 251b18b9e9
commit 39a06f43f4

View file

@ -158,6 +158,9 @@
("script-src 'unsafe-inline' " + resourceDomains).trim(),
("style-src 'unsafe-inline' " + resourceDomains).trim(),
"connect-src " + connectDomains,
// form-action does not fall back to default-src, so with allow-forms a form could post to
// any origin; bound it to the declared egress allowlist ('none' when none is declared).
"form-action " + connectDomains,
("img-src data: blob: " + resourceDomains).trim(),
("media-src " + (resourceDomains || "'none'")).trim(),
("font-src " + (resourceDomains || "'none'")).trim(),