PlzNavigate: Enforce 'form-action' CSP on the browser-side.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-with-redirect.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-with-redirect.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-with-redirect.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-with-redirect.html
new file mode 100644
index 0000000000000000000000000000000000000000..9f3de5f2ca470773c4e000f0f85642ccaa2b7e31
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-with-redirect.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+        testRunner.clearBackForwardList();
+        testRunner.dumpBackForwardList();
+    }
+    window.addEventListener('load', function() {
+        setTimeout(function () {
+            testRunner.notifyDone();
+        }, 1000);
+        document.getElementById('submit').click();
+    });
+</script>
+</head>
+<body>
+    <form
+      action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/navigation/resources/form-target.pl"
+      id='theform'
+      method='post'>
+        <input type='text' name='fieldname' value='fieldvalue'>
+        <input type='submit' id='submit' value='submit'>
+    </form>
+
+    <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>

[alexmos, 2017/03/16 23:05:36]

nit: update description to mention redirects.

[arthursonzogni, 2017/03/17 14:58:25]

Done.

+</body>
+</html>