Mozilla's getting a new look. What do you think? https://mzl.la/brandsurvey

Content-Security-Policy

This article needs a technical review. How you can help.

This is an experimental technology
Because this technology's specification has not stabilized, check the compatibility table for usage in various browsers. Also note that the syntax and behavior of an experimental technology is subject to change in future versions of browsers as the specification changes.

DRAFT

The Content-Security-Policy header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks.

To set a content security policy, add one or more policy directives to either of the response headers listed below. Alternatively, most policy directives can be used in a <meta> tag with the http-equiv attribute. If a policy directive is not defined, user agents will allow resources from anywhere.  The default-src directive overrides this behavior for a select number of other directives. See the policy directives page for more information.

Workers are in general not governed by the content security policy of the document (or parent worker) that created them. To specify a content security policy for the worker, you can set a Content-Security-Policy header for the worker's own source. The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker than created it.

The HTTP response headers

This section lists the HTTP response headers that servers send back to specify allowed origins for page contents as defined by the Content Security Policy specification. 

CH-CSP

Indicates that a request is subject to a policy.

Content-Security-Policy

Specifies a page's content origins by resource type for enforcement by the user agent. This header may be used inside a <meta> tag.

Content-Security-Policy-Report-Only

Specifies a page's content origins by resource type for monitoring by the server. This header may not be used inside a <meta> tag.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic support 41.0 (Yes) ? (Yes) ?
Worker support (Yes) 50 (50) ? ? ?
Feature Android Chrome for Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
Basic support No support ? ? ? ? ?

See Also

Document Tags and Contributors

 Contributors to this page: wbamberg, teoli, jpmedley, kscarfone
 Last updated by: wbamberg,