@avlidienbrunn discovered that forms submitted using XHR are not subject to the form-action Content Security Policy (CSP) directive and might be used to exfiltrate information to any host found in our connect-src source list. While most forms on GitHub.com are submitted traditionally, and restricted by our form-action source list, we do register a number of onsubmit event handlers that result in forms being submitted using XHR. As a result, an attacker can target any form we submit using XHR and potentially exfiltrate some of the form’s contents, such as its CSRF token, to any host found on our connect-src source list.

The overall risk presented by this CSP bypass is low given that:

We have not addressed this issue given the low severity and our current reliance on several third-party hosts in our connect-src source list. We will continue to investigate what new browser protections may become available in the future to help mitigate this issue.