@avlidienbrunn discovered that forms submitted using XHR are not subject to the form-action
Content Security Policy (CSP) directive and might be used to exfiltrate information to any host found in our connect-src
source list. While most forms on GitHub.com are submitted traditionally, and restricted by our form-action
source list, we do register a number of onsubmit
event handlers that result in forms being submitted using XHR. As a result, an attacker can target any form we submit using XHR and potentially exfiltrate some of the form’s contents, such as its CSRF token, to any host found on our connect-src
source list.
The overall risk presented by this CSP bypass is low given that:
connect-src
source list, the providers on that list may ignore the unexpected form values, making it potentially impossible for an attacker to recover them.We have not addressed this issue given the low severity and our current reliance on several third-party hosts in our connect-src
source list. We will continue to investigate what new browser protections may become available in the future to help mitigate this issue.