So I’ve enabled CSP in my Laravel Website and it runs perfectly fine on localhost. However, the problem occurred when deploying the Website on a Linux server using a domain, it gave me an error.
Refused to send form data to ‘https://example.com/login’ because it violates the following Content Security Policy directive: "form-action ‘self’ https: *.example.com".
I’ve added a custom directive in my custom CSP with the exact same link with the login request link but it doesn’t work. I’ve read on some forums that it can be caused by Google Chrome blocking any redirected link because it can be dangerous and yeah I use Laravel Redirect intended to redirect the user to the Homeprovider after they log in, but why it only affected the login and logout request? it doesn’t affect another form request except those 2. I wonder if there’s any solution to this problem, I’ve searched for many solutions on the internet but none of them seem to be working. Thank you I really appreciate your answer.
This is my login method from LoginController :
public function store(Request $request): RedirectResponse {
$this->ensureIsNotRateLimited();
$request->validate([
'email' => ['required', 'string', 'lowercase', 'email', 'max:255'],
'password' => ['required', 'string'],
]);
if(! Auth::guard('admin')->attempt($request->only('email', 'password'), $request->boolean('remember'))) {
RateLimiter::hit($this->throttleKey());
throw ValidationException::withMessages([
'email' => trans('auth.failed'),
]);
}
$notification = array(
'message' => 'Anda berhasil login!',
'alert-type' => 'success',
);
$request->session()->regenerate();
RateLimiter::clear($this->throttleKey());
return redirect()->intended(RouteServiceProvider::ADMIN_DASHBOARD)->with($notification);
}
and this is my logout method from LoginController :
public function destroy(Request $request): RedirectResponse {
Auth::guard('admin')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/admin/login');
}
I’ve added a custom directive in my custom CSP but it doesn’t work
->addDirective(Directive::FORM_ACTION, 'https://example.com/login')
->addDirective(Directive::FORM_ACTION, 'https://example.com/logout');
2
Answers
You can add a
Content-Security-Policy-Report-Only
header with the same policy as your enforceable policy but in report-only mode. This won’t block anything but will report violations to a specified report URI. This can help identify what exactly is being blocked and why:You are allowing *.example.com which includes subdomains of example.com. You’ll need to change to example.com. Or use both example.com and *.example.com if you want to allow posting of forms to example.com and all subdomains.