manifest-src
Themanifest-src directive controls which manifest files can be loaded for your web application. This directive helps protect against unauthorized web manifest files that could potentially modify your application's behavior or appearance.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended manifest-src configuration
Content-Security-Policy: manifest-src 'self';Tips & Tricks
Always specify trusted domains explicitly rather than using wildcards
Use 'self' when your manifest files are hosted on the same origin
Avoid using broad keywords like * as it may allow loading of malicious manifest files
Possible Values
'none': No manifest files are allowed'self': Only manifest files from the same origin are allowed- URLs: Specific domains (e.g.,
https://trusted-domain.com) - Schemes: Protocol schemes (e.g.,
https:,http:,wss:,ws:) - Wildcards:
*for subdomains (e.g.,*.example.com) - ⚠️
*: Allows all origins
Example Configurations
Basic policy
Basic CSP Header for manifest files
Content-Security-Policy: manifest-src 'self' https://example.com;Allowed
<!-- allowed as it's from same origin -->
<link rel="manifest" href="/manifest.json">
<!-- allowed as it's from example.com -->
<link rel="manifest" href="https://example.com/manifest.json">Blocked
<!-- blocked as the domain is not authorized -->
<link rel="manifest" href="https://malicious.website.com/manifest.json">
<!-- blocked as the protocol is not https -->
<link rel="manifest" href="http://example.com/manifest.json">Additional Information
- The
manifest-srcdirective helps prevent unauthorized modifications to your web app's manifest - Always use HTTPS URLs for external manifest files
- Consider using this directive if your application uses Web App Manifests
- Falls back to
default-srcif not specified