Scheme Source
The scheme-source is a Content Security Policy component that allows you to specify which URL schemes can be used to load resources. It provides a way to restrict resource loading to specific protocols, helping to enforce secure communication channels.Overview
A scheme-source defines the protocol that can be used to load resources. While it offers flexibility in specifying allowed protocols, it's important to note that using scheme-sources alone does not provide comprehensive security, as they allow any source using the specified scheme.Security Warning: Use of Unsafe Schemes
Be extremely cautious when using schemes. These schemes can potentially allow attackers to bypass CSP protections by injecting malicious content. Only use these schemes when absolutely necessary and ensure you understand the security implications.
Available Schemes
http: Allow any sources using http protocol (not recommended for production)
https: Allow any sources using https protocol
data: Allow data: URIs (use with caution)
mediastream: Allow mediastream: URIs
blob: Allow blob: URIs
filesystem: Allow filesystem: URIs
Examples
Basic Usage
Allow loading resources only over HTTPS
Content-Security-Policy: default-src https:;Common Use Cases
Allow images from HTTPS sources and data URIs
Content-Security-Policy: img-src https: data:;Allow media from HTTPS sources and mediastream URIs
Content-Security-Policy: media-src https: mediastream:;Data URI Example
An example of a data URI
// Example of a data URI that would be allowed with data: scheme
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==Security Risks
Potential Vulnerabilities
Data URI Injection Attackers can inject malicious code through base64 encoded data URIs
Protocol Downgrade Using http: scheme could enable man-in-the-middle attacks
Blob/Filesystem Access Could potentially expose sensitive local resources