Content-Security-Policy HTTP Header
Content-Security-Policy
Accepted Values
Multiple values are allowed, seperated by a semi-colon. Some options take a value, and that is preceded with a space after the option. Multiple values are supported.- base-uri
Define what can be used in the base element.
base-uri <content-security-policy>- block-all-mixed-content
Prevent mixed content access.
- child-src
Define sources for web works and frames.
child-src <content-security-policy>- connect-src
Define sources for script interfaces.
connect-src <content-security-policy>- default-src
Fallback for all fetches.
default-src <content-security-policy>- font-src
Define sources for fonts.
font-src <content-security-policy>- form-action
Define what can be used as the target for forms.
form-action <content-security-policy>- frame-ancestors
Define valid parents for frame, iframe, embed, object, and applet.
frame-ancestors <content-security-policy>- frame-src
Define sources for frames.
frame-src <content-security-policy>- img-src
Define sources for images and favicons.
img-src <content-security-policy>- manifest-src
Define sources for manifest files.
manifest-src <content-security-policy>- media-src
Define sources for audio, video, and track elements.
media-src <content-security-policy>- navigate-to
Define navigation restrictions by any means.
navigate-to <content-security-policy>- object-src
Define sources for object, embed, and applet elements.
object-src <content-security-policy>- plugin-types
Define what plugins can be embedded and loaded.
plugin-types <content-security-policy>- prefetch-src
Define sources to be prefetched.
prefetch-src <content-security-policy>- referrer
Control the referer header.
referrer <content-security-policy>- report-to
Fire a SecurityPolicyViolationEvent.
report-to <content-security-policy>- report-uri="<url>"
URI for violation reports.
report-uri="https://yourwebsite.com/url"- require-sri-for
Require SRI for scripts and styles.
require-sri-for <content-security-policy>- require-trusted-types-for
Enforce trusted types for DOM XSS.
require-trusted-types-for <content-security-policy>- sandbox
Enables sandboxing for the resources.
sandbox <content-security-policy>- script-src
Define sources for JavaScript.
script-src <content-security-policy>- script-src-attr-src
Define sources for inline JavaScript event handlers.
script-src-attr-src <content-security-policy>- script-src-elem
Define sources for script elements.
script-src-elem <content-security-policy>- style-src
Define sources for stylesheets.
style-src <content-security-policy>- style-src-elem
Define sources for style and stylesheet link elements.
style-src-elem <content-security-policy>- trusted-types
Allow certain trusted types.
trusted-types <content-security-policy>- upgrade-insecure-requests
Treat insecure URLs as though they are secure.
- worker-src
Define sources for Worker, SharedWork, and ServiceWorker scripts.
worker-src <content-security-policy>
- 'none'
- No loading of resources.
- 'self'
- Only resources from the current origin.
- unsafe-inline
- Allow use of inline resources.
- unsafe-evail
- Allow use of dynamic code.
- unsafe-hashes
- Allow use of hashes.
- unsafe-allow-redirects
- Allow use of redirected resources.
- strict-dynamic
- Allow additional resources to be added dynamically.
- report-sample
- Indicates this resource will be used to generate a violation sample.
- script-src
- Script sources.
- <protocol>:
- Allow from this protocol.
- <domain>
- Allow from this domain.
- nonce-<nonce>
- Only with this nonce attribute.
- sha-<sha>
- Only with this SHA value.
Example
Parse
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy