@avlidienbrunn discovered that forms submitted using XHR are not subject to the
form-action Content Security Policy (CSP) directive and might be used to exfiltrate information to any host found in our
connect-src source list. While most forms on GitHub.com are submitted traditionally, and restricted by our
form-action source list, we do register a number of
onsubmit event handlers that result in forms being submitted using XHR. As a result, an attacker can target any form we submit using XHR and potentially exfiltrate some of the form’s contents, such as its CSRF token, to any host found on our
connect-src source list.
The overall risk presented by this CSP bypass is low given that:
connect-srcsource list, the providers on that list may ignore the unexpected form values, making it potentially impossible for an attacker to recover them.
We have not addressed this issue given the low severity and our current reliance on several third-party hosts in our
connect-src source list. We will continue to investigate what new browser protections may become available in the future to help mitigate this issue.