@avlidienbrunn discovered that forms submitted using XHR are not subject to the form-action Content Security Policy (CSP) directive and might be used to exfiltrate information to any host found in our connect-src source list. While most forms on GitHub.com are submitted traditionally, and restricted by our form-action source list, we do register a number of onsubmit event handlers that result in forms being submitted using XHR. As a result, an attacker can target any form we submit using XHR and potentially exfiltrate some of the form’s contents, such as its CSRF token, to any host found on our connect-src source list.

The overall risk presented by this CSP bypass is low given that:

• This bypass only applies to the subset of forms submitted using XHR.
• It may not be trivial to retreive the contents of the form submission. While an attacker can force a XHR submission to any host on our connect-src source list, the providers on that list may ignore the unexpected form values, making it potentially impossible for an attacker to recover them.
• Our use of per-form CSRF tokens (tokens are only valid for the single form they were generated for) limits the utility of any single token.

We have not addressed this issue given the low severity and our current reliance on several third-party hosts in our connect-src source list. We will continue to investigate what new browser protections may become available in the future to help mitigate this issue.