The default fallback for other fetch directives. If other fetch directives are not explicitly defined, they fall back to the values specified in default-src.
Controls which font sources can be loaded.
Controls which JavaScript sources can be loaded and executed.
Controls inline event handlers and script attributes.
Controls which script elements can be loaded.
Controls which CSS sources can be loaded.
Controls inline style attributes.
Controls which style elements can be loaded.
Controls which DOM sink functions can accept values.
Controls which image sources can be loaded.
Controls which URLs can be loaded into a child browsing context.
Controls which manifest sources can be loaded.
Controls which media sources can be loaded.
Controls which plugin content can be loaded.
Controls which URLs the application can connect to via script interfaces.
Controls which plugins can be loaded by the document.
Controls which resources can be prefetched or prerendered.
Controls which URLs can be loaded into a browsing context.
Controls which URLs can be loaded into a fenced frame.
Controls which URLs can be loaded as a Worker, SharedWorker, or ServiceWorker.
Specifies a URI to which violation reports will be sent.
Specifies a reporting group to which violation reports will be sent.
Controls which parent pages can embed the page using frame, iframe, object, or similar elements.
Controls which URLs can be used as the action of HTML forms.
Controls which URLs can be used in a document's <base> element.
Applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
Controls which DOM sink functions require trusted types.
Prevents loading any assets over HTTP when the page is loaded over HTTPS.
Instructs browsers to upgrade all HTTP requests to HTTPS.
Previous doc
What is the CSP ?
Next doc
CSP Values