Scheme Source

The scheme-source is a Content Security Policy component that allows you to specify which URL schemes can be used to load resources. It provides a way to restrict resource loading to specific protocols, helping to enforce secure communication channels.

Overview

A scheme-source defines the protocol that can be used to load resources. While it offers flexibility in specifying allowed protocols, it's important to note that using scheme-sources alone does not provide comprehensive security, as they allow any source using the specified scheme.

Security Warning: Use of Unsafe Schemes

Be extremely cautious when using schemes. These schemes can potentially allow attackers to bypass CSP protections by injecting malicious content. Only use these schemes when absolutely necessary and ensure you understand the security implications.

Available Schemes

  • http: Allow any sources using http protocol (not recommended for production)

  • https: Allow any sources using https protocol

  • data: Allow data: URIs (use with caution)

  • mediastream: Allow mediastream: URIs

  • blob: Allow blob: URIs

  • filesystem: Allow filesystem: URIs

Examples

Basic Usage

Allow loading resources only over HTTPS

Content-Security-Policy: default-src https:;

Common Use Cases

Allow images from HTTPS sources and data URIs

Content-Security-Policy: img-src https: data:;

Allow media from HTTPS sources and mediastream URIs

Content-Security-Policy: media-src https: mediastream:;

Data URI Example

An example of a data URI

// Example of a data URI that would be allowed with data: scheme
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Security Risks

Potential Vulnerabilities

  • Data URI Injection Attackers can inject malicious code through base64 encoded data URIs

  • Protocol Downgrade Using http: scheme could enable man-in-the-middle attacks

  • Blob/Filesystem Access Could potentially expose sensitive local resources

Related Resources

External Articles

Related Documentation Sections