mozilla
Your Search Results

    CSP policy directives

    There are several policy areas that web site administrators can define using Content Security Policy (CSP). Any combination of these can be used to customize your policy to suit your web site's needs; you don't need to specify them all.

    Content sources

    Most policy directives require one or more content sources. A content source is a string indicating a possible source from which content might be loaded.

    Source lists

    A source list is a string specifying one or more Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source. The hosts are space-delimited.

    Valid host expressions include:

    http://*.foo.com
    Matches all attempts to load from any subdomain of foo.com using the http: URL scheme.
    mail.foo.com:443
    Matches all attempts to access port 443 on mail.foo.com.
    https://store.foo.com
    Matches all attempts to access store.foo.com using https:.

    If a port number isn't specified, the browser will use the default port number for the specified scheme. If no scheme is specified, the same scheme as the one used to access the protected document is assumed.

    Keywords

    There are also some keywords available to describe special classes of content sources. These are:

    'none'
    Refers to the empty set; that is, no URLs match. The single quotes are required.
    'self'
    Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes.
    'unsafe-inline'
    Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.
    'unsafe-eval'
    Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.
    Note: Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your web site up to cross-site scripting vulnerabilities.

    For example, you can specify that content may be loaded from the document's origin as well as trustedscripts.foo.com as follows:

    Content-Security-Policy: default-src 'self' trustedscripts.foo.com
    

    Data

    Note: data: URIs are unsafe and can open your web site up to cross-site scripting vulnerabilities if allowed for script sources.
    data:
    Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
    mediastream:
    Allows mediastream: URIs to be used as a content source.
    Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:
    

    Supported policy directives

    The following policy directives are available to control the security policy for the various policy areas.

    base-uri

    The base-uri directive defines the URIs that a user agent may use as the document base URL. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the base element.

    base-uri source-list

    child-src

    The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. This directive is preferred over the frame-src directive, which is deprecated. For workers, non-compliant requests are treated as fatal network errors by the user agent.

    Note: If this directive is absent, the user agent will look for the default-src directive.
    ​child-src source-list

    connect-src

    The connect-src directive defines valid sources for fetch, XMLHttpRequest, WebSocket, and EventSource connections. 

    Note: If this directive is absent, the user agent will look for the default-src directive.
    Note: Prior to Firefox 23, xhr-src was used in place of the connect-src directive and only restricted the use of XMLHttpRequest.
    connect-src source-list

    default-src

    The default-src directive defines the security policy for types of content which are not expressly called out by more specific directives. This directive covers the following directives:

    • child-src
    • connect-src
    • font-src
    • img-src
    • media-src
    • object-src
    • script-src
    • style-src
    default-src source-list

    font-src

    The font-src directive specifies valid sources for fonts loaded using @font-face.

    Note: If this directive is absent the user agent will look for the default-src directive.
    font-src source-list

    form-action

    The form-action directive specifies valid endpoints for <form> submissions.

    form-action source-list

    frame-ancestors

    The frame-ancestors directive specifies valid parents that may embed a page using the <frame> and <iframe> elements. This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

    frame-ancestors source-list

    frame-src

    The frame-src  directive specifies valid sources for web workers and nested browsing contexts loading using elements such as <frame> and <iframe>.

    Note: This directive is deprecated. Use child-src instead.
    frame-src source-list

    img-src

    The img-src directive specifies valid sources of images and favicons. 

    Note: If this directive is absent, the user agent will look for the default-src directive.
    img-src source-list

    media-src

    The media-src directive specifies valid sources for loading media using the <audio> and <video> elements.

    Note: If this directive is absent, the user agent will look for the default-src directive.
    media-src source-list

    object-src

    The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements. 

    Note: If this directive is absent, the user agent will look for the default-src directive.
    object-src source-list

    plugin-types

    The plugin-types directive specifies the valid plugins that the user agent may invoke.

    plugin-types type-list

    referrer

    The referrer directive specifies information in the referrer header for links away from a page.

    ​referrer value

    reflected-xss

    The reflected-xss directive instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks. Valid values are allow, block, and filterThis directive is not supported in the <meta> element.

    Note: This directive is ignored if it is contained in a meta element.
    reflected-xss value

    report-uri

    The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. See Using CSP violation reports for details. This directive is not supported in the <meta> element.

    report-uri uri

    sandbox

    The sandbox directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

    sandbox value

    script-src

     

    The script-src directive specifies valid sources for JavaScript. When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively.

    Note: If this directive is absent the user agent will look for the default-src directive.
    script-src source-list

    style-src

    The style-src directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the <style> element and HTML style attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the style-src or the default-src directive is included, inline use of the <style> element and HTML style attributes are disabled unless you specify 'unsafe-inline'.

    Note: If this directive is absent, the user agent will look for the default-src directive.
    style-src source-list
    Note: Firefox currently requires using the same URL scheme and port for the report-uri as the content being protected by Content Security Policy.

    upgrade-insecure-requests

    A Chrome-only policy that instructs user agents to treat all of a site's unsecure URL's (those serverd over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of unsecure legacy URL's that need to be rewritten. This feature was added in Chrome 43.0.

    Specifications

    Specification Status Comment
    Content Security Policy
    The definition of 'CSP directives' in that specification.
    Working Draft Added base-uri, child-src, font-action, frame-ancestors, plugin-types, referrer, reflected-xss.
    Content Security Policy 1.0
    The definition of 'CSP directives' in that specification.
    Candidate Recommendation Initial definition.

    Browser compatibility

    Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
    Basic support

    14 (X-Webkit-CSP)

    25

    4.0 (2.0) (X-Content-Security-Policy)

    24.0 (24.0)

    12 15

    6 (X-Webkit-CSP)

    7

    base-uri          
    child-src          
    connect-src          
    default-src          
    font-src          
    form-action 41 36.0 (36.0) ? ? ?
    frame-ancestors 41 4.0 (2.0) ? ? ?
    frame-src          
    img-src     ? ? ?
    media-src          
    object-src          
    plugin-types          
    referrer          
    reflected-xss          
    report-uri          
    sandbox          
    script-src          
    style-src          
    Feature Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
    Basic support (Yes) 4.0 (2.0) ? ? iOS 7.1
    frame-ancestors ? 4.0 (2.0) ? ? ?
    form-action ? 36.0 (36.0) ? ? ?

    Specifications

    Specification Status Comment
    Content Security Policy Level 2.0 Working Draft Adds base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss, and report-uri. Deprecates frame-src.
    Content Security Policy 1.0 Candidate Recommendation Defines connect-srcdefault-src, font-srcframe-srcimg-srcmedia-srcobjects-srcreport-uri,sandboxscript-src, and style-src.

    See also

     

    Document Tags and Contributors

    Last updated by: jmera,