Skip to content

Web Lab 2: allow forms but no form actions #70725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
molly-moen wants to merge 1 commit into
base: staging
Choose a base branch
from
Open

Web Lab 2: allow forms but no form actions #70725

molly-moen wants to merge 1 commit into from
+7 −3

Conversation

@molly-moen
Copy link
Contributor

@molly-moen molly-moen commented Feb 10, 2026

We want to provide minimal support for forms in Web Lab 2. What we want to support is projects that submit forms via a "submit" button, but all that button does is trigger an event handler that does some benign operation, not write to an external url.

We can support this by allowing forms on the iframe sandbox, but setting form-action to none in the content security policy. This allows submit buttons on forms to work, but you must call preventDefault on that submit action to avoid throwing a content security policy error.

Links

Testing story

Tested locally. Before this a submit button event handler would not work. Now it does, but if you don't call preventDefault you see an error.

PR Creation Checklist:

  • Tests provide adequate coverage
  • Privacy impacts have been documented
  • Security impacts have been documented
  • Code is well-commented
  • New features are translatable or updates will not break translations
  • Relevant documentation has been added or updated
  • User impact is well-understood and desirable
  • Follow-up work items (including potential tech debt) are tracked and linked

hannahbergam
hannahbergam approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@hannahbergam hannahbergam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fisher-alice
fisher-alice approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@fisher-alice fisher-alice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Was able to test locally with the project code from @moshebaricdo's https://studio.code.org/projects/weblab2/58da897d-2d17-412a-9eac-13d3fe58db0d/view. (cool that he used local storage to store tasks so they persisted on reload!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hannahbergam hannahbergam hannahbergam approved these changes

@fisher-alice fisher-alice fisher-alice approved these changes

@unlox775-code-dot-org unlox775-code-dot-org Awaiting requested review from unlox775-code-dot-org

@edcodedotorg edcodedotorg Awaiting requested review from edcodedotorg

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@molly-moen @hannahbergam @fisher-alice