CentralCSP

Fetching

The fetching directives are used to control the resources that can be loaded by the browser.


default-src

default-src

The default-src is the fall back directive for all fetch directives. It sets the default policy for fetching resources

Recommended Values

  • 'self'

    Allows resources from the same origin

    Allows resources from the same origin

  • https://subdomain.example.com

    Allows resources from a specific external site

    Allows resources from a specific external site

Explore detailed value definitions

Tips & Tricks

  • default-src is a fall back directive. If a more specific fetch directive is defined, it will override default-src for that resource type.

  • Using 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' can introduce security vulnerabilities. Use with caution.

  • Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.

Examples

  • recommended usage, allows only resources from the same origin, other sources should be defined in a specific fetch directive

    Content-Security-Policy: default-src 'self';

    Allowed

    <!-- allowed by 'self' -->
    <script src='/js/my_font.js'></script>
    

    Blocked

    <!-- blocked as the domain is not authorized -->
    <script src='https://malicious.file.com/hihi.js'></script>
    
    <!-- blocked as inline script is not allowed -->
    <script>alert('Hello there');</script>
    
    <!-- blocked as event handlers are not allowed -->
    <button onclick="alert('Hello there');">Click me</button>

font-src

font-src

The font-src directive specifies the sources from which fonts can be loaded.

Recommended Values

  • 'self'

    Allows resources from the same origin

    Allows resources from the same origin

  • https://subdomain.domain.com

    Allows resources from a specific external site

    Allows resources from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If font-src is not defined, the default-src directive will be used.

Examples

  • Allows resources from the same origin and a specific external site

    Content-Security-Policy: font-src 'self' https://fonts.gstatic.com;

    Allowed

    <!-- allowed by 'self' -->
    @font-face {
      font-family: 'MyFont';
      src: url('/fonts/font.ttf');
    }
    
    <!-- allowed by https://fonts.gstatic.com -->
    @font-face {
      font-family: 'ExternalFont';
      src: url('https://fonts.gstatic.com/fonts/font.ttf');
    }

    Blocked

    <!-- blocked as the domain is not authorized -->
    @font-face {
      font-family: 'MaliciousFont';
      src: url('https://malicious.file.com/font.ttf');
    }

script-src

script-src

The script-src directive specifies the sources from which scripts can be loaded.

Recommended Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

  • sha256-<hash>

    Allows scripts with a specific hash

    Allows scripts with a specific hash

  • nonce-<random>

    Allows scripts with a specific nonce value

    Allows scripts with a specific nonce value

  • strict-dynamic

    Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.

    Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.

Explore detailed value definitions

Tips & Tricks

  • The nonce value must be unique for each request and must be the same as the one specified in the Content-Security-Policy header.

  • Hashes can also be used to allow specific scripts. See the values section for more information.

  • Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.

  • Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.

  • Using 'strict-dynamic' allows all inline scripts and inline event handlers, but only if they are from the same origin as the document. This can be useful for allowing inline scripts in a specific context.

Available Values

  • 'none'

    Blocks all scripts

    Blocks all scripts

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • subdomain.domain

    Allows scripts from a specific domain

    Allows scripts from a specific domain

  • sha256-<hash>

    Allows scripts with a specific hash

    Allows scripts with a specific hash

  • nonce-<random>

    Allows scripts with a specific nonce value

    Allows scripts with a specific nonce value

  • 'report-sample'

    Includes script samples in violation reports for debugging

    Includes script samples in violation reports for debugging

  • 'strict-dynamic'

    Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes

    Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes

  • 'unsafe-inline'

    Allows all inline scripts (not recommended)

    Allows all inline scripts (not recommended)

  • 'unsafe-eval'

    Allows the use of eval() and similar dynamic code execution methods (not recommended)

    Allows the use of eval() and similar dynamic code execution methods (not recommended)

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: script-src 'self' https://example.com 'nonce-zf48z4fefDOg94qDef5EE6eFqzf15' ;

    Allowed

    <!-- allowed by 'self' -->
    <script src='/js/my_font.js'></script>
    
    <!-- allowed by https://example.com -->
    <script src='https://example.com/myfont.js'></script>
    
    <!-- allowed by nonce -->
    <script nonce='zf48z4fefDOg94qDef5EE6eFqzf15'>alert('Hello there');</script>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <script src='https://malicious.file.com/hihi.js'></script>
    
    <!-- blocked as inline script is not allowed -->
    <script>alert('Hello there');</script>
    
    <!-- blocked as event handlers are not allowed -->
    <button onclick="alert('Hello there');">Click me</button>

script-src-attr

script-src-attr

The script-src-attr directive specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements.

Recommended Values

  • 'none'

    Blocks all inline scripts (recommended)

    Blocks all inline scripts (recommended)

  • 'sha256-<hash>'

    Allows inline event handlers that match a specific hash

    Allows inline event handlers that match a specific hash

  • 'report-sample'

    Includes samples of blocked scripts in violation reports to help with debugging

    Includes samples of blocked scripts in violation reports to help with debugging

Explore detailed value definitions

Tips & Tricks

  • Do not use event handlers like 'onclick' in the tag. Favor the use of line like 'document.getElementById('btn').addEventListener('click', doSomething)' instead.

  • Using 'unsafe-hashes' with this directive can be risky. Consider using hashes instead.

  • This directive is more specific than script-src and only applies to inline event handlers.

Available Values

  • 'none'

    Blocks all inline styles (recommended)

    Blocks all inline styles (recommended)

  • 'sha256-<hash>'

    Allows inline event handlers that match a specific hash

    Allows inline event handlers that match a specific hash

  • 'report-sample'

    Includes samples of blocked scripts in violation reports to help with debugging

    Includes samples of blocked scripts in violation reports to help with debugging

  • 'unsafe-inline'

    Allows all inline event handlers (not recommended)

    Allows all inline event handlers (not recommended)

  • 'unsafe-hashes'

    Allows event handlers that match hash (use with caution)

    Allows event handlers that match hash (use with caution)

Examples

  • Allows inline event handlers from the same origin

    Content-Security-Policy: script-src-attr 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=';

    Allowed

    <!-- allowed by 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=' -->
    <button onclick="alert('Hello')">Click me</button>

    Blocked

    <!-- blocked as the hash of the script is not in the directive -->
    <button onclick="alert('An other text')">Click me</button>

script-src-elem

script-src-elem

The script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick. It allows you to control where <script> tags can load JavaScript from, providing an additional layer of security for your web application.

Recommended Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

  • nonce-<random>

    Allows scripts with a specific nonce value

    Allows scripts with a specific nonce value

  • 'sha256-<hash>'

    Allows scripts that match a specific hash

    Allows scripts that match a specific hash

  • 'report-sample'

    Includes samples of blocked scripts in violation reports to help with debugging

    Includes samples of blocked scripts in violation reports to help with debugging

Explore detailed value definitions

Tips & Tricks

  • Using 'report-sample' is recommended as it includes samples of blocked scripts in violation reports, helping with debugging.

  • This directive is more specific than script-src and only applies to <script> elements, not to inline event handlers or JavaScript: URLs.

  • Using 'unsafe-inline' with this directive can be risky. Consider using nonces or hashes instead for inline scripts.

  • When using hashes, make sure to include the 'unsafe-hashes' source expression if you need to allow event handlers and JavaScript: URLs.

Available Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • 'none'

    Blocks all scripts

    Blocks all scripts

  • 'nonce-<random>'

    Allows scripts with a matching nonce attribute

    Allows scripts with a matching nonce attribute

  • 'sha256-<hash>'

    Allows scripts matching a specific hash value

    Allows scripts matching a specific hash value

  • https://example.com

    Allows scripts from specific trusted domains

    Allows scripts from specific trusted domains

  • 'strict-dynamic'

    Allows scripts loaded by trusted scripts, ignoring static allowlist

    Allows scripts loaded by trusted scripts, ignoring static allowlist

  • 'report-sample'

    Includes script samples in violation reports for debugging

    Includes script samples in violation reports for debugging

  • 'unsafe-inline'

    Allows inline scripts in <script> tags (not recommended)

    Allows inline scripts in <script> tags (not recommended)

  • 'unsafe-eval'

    Allows use of eval() and similar functions (strongly discouraged)

    Allows use of eval() and similar functions (strongly discouraged)

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: script-src-elem 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <script src='/js/app.js'></script>
    
    <!-- allowed by https://example.com -->
    <script src='https://example.com/js/library.js'></script>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <script src='https://malicious.website.com/js/script.js'></script>
    
    <!-- blocked as inline scripts are not allowed -->
    <script>alert('Hello');</script>

style-src

style-src

The style-src directive specifies the sources from which stylesheets can be loaded.

Recommended Values

  • 'self'

    Allows styles from the same origin

    Allows styles from the same origin

  • https://subdomain.domain.com

    Allows styles from a specific external site

    Allows styles from a specific external site

  • nonce-<random>

    Allows styles with a specific nonce value

    Allows styles with a specific nonce value

  • sha256-<hash>

    Allows styles with a specific hash

    Allows styles with a specific hash

Explore detailed value definitions

Tips & Tricks

  • To allow inline styles, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.

  • It is recommended using a nonce-source or hash instead of hashes to allow specific styles as it will be easier to maintain.

  • Using 'unsafe-inline' is not recommended as it allows all inline styles, which can be a security risk. Consider using nonces or hashes instead.

Available Values

  • 'none'

    Blocks all style sources

    Blocks all style sources

  • 'self'

    Allows styles from the same origin

    Allows styles from the same origin

  • 'sha256-<hash>'

    Allows styles matching a specific hash

    Allows styles matching a specific hash

  • https://example.com

    Allows loading styles from specific origins

    Allows loading styles from specific origins

  • 'report-sample'

    Requires the first 40 characters of the blocked style to be included in violation reports

    Requires the first 40 characters of the blocked style to be included in violation reports

  • 'unsafe-inline'

    Allows inline styles and style attributes (not recommended)

    Allows inline styles and style attributes (not recommended)

Examples

  • Allows stylesheets from the same origin, a specific external site, and with a nonce

    Content-Security-Policy: style-src 'self' https://example.com 'nonce-2726c7f26c';

    Allowed

        <!-- allowed by 'self' -->
        <link rel='stylesheet' href='/css/style.css'>
    
        <!-- allowed by https://example.com -->
        <link rel='stylesheet' href='https://example.com/css/style.css'>
    
        <!-- allowed by nonce -->
        <style nonce="2726c7f26c">
          inline-style {background: red;}
        </style>
    
        <!-- allowed by 'self' -->
        <div style="display:none">Foo</div>
    

    Blocked

        <!-- blocked as the domain is not authorized -->
        <link href="https://malicious.website.com/styles/main.css" rel="stylesheet" type="text/css" />
    
        <!-- blocked as the domain is not authorized and no nonce -->
        <style>
          @import url("https://malicious.website.com/styles/sheet.css") ;
        </style>
    
        <!-- blocked as the domain is not authorized -->
        <link> href="https://malicious.website.com/styles/stylesheet.css" rel="stylesheet" type="text/css" />

style-src-attr

style-src-attr

The style-src-attr directive specifies valid sources for inline styles applied to individual DOM elements.

Recommended Values

  • 'none'

    Blocks all inline styles (recommended)

    Blocks all inline styles (recommended)

  • sha256-<hash>

    Allows inline styles with a specific hash

    Allows inline styles with a specific hash

Explore detailed value definitions

Tips & Tricks

  • If style-src-attr is not set, the user agent will look for style-src, and if that is not set, default-src is used.

  • Using 'unsafe-inline' allows all inline styles and may introduce security risks. Consider using nonces or hashes instead.

  • Using 'unsafe-hashes' allows event handlers like :hover but requires hashes for each one. Use with caution.

Examples

  • Allows inline styles from the same origin and with a hash

    Content-Security-Policy: style-src-attr 'sha256-jkHJ83JF7jf83jF83Jj38fJ3j8FJ38fj3F8jf38==';

    Allowed

    <!-- allowed by hash -->
    <p style="color: red;">Red text</p>

    Blocked

    <!-- blocked as no 'unsafe-inline' and hash doesn't match -->
    <span style="font-weight: bold;">Bold text</span>

style-src-elem

style-src-elem

The style-src-elem directive specifies valid sources for stylesheets loaded using <style> elements and <link> elements with rel="stylesheet".

Recommended Values

  • 'self'

    Allows stylesheets from the same origin

    Allows stylesheets from the same origin

  • nonce-<random>

    Allows stylesheets with a specific nonce value

    Allows stylesheets with a specific nonce value

  • sha256-<hash>

    Allows stylesheets with a specific hash

    Allows stylesheets with a specific hash

  • domain.example

    Allows stylesheets from a specific domain

    Allows stylesheets from a specific domain

Explore detailed value definitions

Tips & Tricks

  • If style-src-elem is not set, the user agent will look for style-src, and if that is not set, default-src is used.

  • Using 'unsafe-inline' allows all inline styles and may introduce security risks. Consider using nonces or hashes instead.

Examples

  • Allows stylesheets from the same origin, a specific domain, and with a nonce

    Content-Security-Policy: style-src-elem 'self' 'nonce-2726c7f26c' https://cdn.example.com;

    Allowed

    <!-- allowed by 'self' -->
    <link rel="stylesheet" href="/styles/main.css">
    
    <!-- allowed by nonce -->
    <style nonce="2726c7f26c">body {background-color: #f0f0f0;}</style>
    
    <!-- allowed by cdn.example.com -->
    <link rel="stylesheet" href="https://cdn.example.com/framework.css">

    Blocked

    <!-- blocked as no 'unsafe-inline' and no matching nonce -->
    <style>p {color: red;}</style>
    
    <!-- blocked as domain not in allowed list -->
    <link rel="stylesheet" href="https://cdn.otherdomain.com/styles.css">

trusted-types

trusted-types

The trusted-types directive helps prevent XSS attacks by requiring special security-checked values (called 'trusted types') instead of raw strings when modifying sensitive parts of a webpage.

Tips & Tricks

  • This directive is experimental and may not be supported in all browsers.

  • Together with require-trusted-types-for directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allowlist of trusted type policy names created with trustedTypes.createPolicy from Trusted Types API.

Available Values

  • <policyName>

    A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.

    A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.

  • 'none'

    A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.

    A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.

  • 'allow-duplicates'

    Allows duplicate policy names

    Allows duplicate policy names

Examples

  • Allows trusted types from the same origin

    Content-Security-Policy: trusted-types mypolicy1 mypolicy2 'allow-duplicates';

    Allowed

    <!-- allowed by mypolicy1 mypolicy2 'allow-duplicates' -->
    <script>
      const policyFoo = trustedTypes.createPolicy('mypolicy1'', {});
      const policyFoo = trustedTypes.createPolicy('mypolicy1', {});
      const policyFoo = trustedTypes.createPolicy('mypolicy2', {});
    </script>

    Blocked

    <!-- blocked as the policy name is not allowed -->
    <script>
      const policyFoo = trustedTypes.createPolicy(''mypolicy3'', {});
    </script>

img-src

img-src

The img-src directive specifies the sources from which images & favicons can be loaded.

Recommended Values

  • 'self'

    Allows images from the same origin

    Allows images from the same origin

  • https://subdomain.domain.com

    Allows images from a specific external site

    Allows images from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If img-src is not defined, the default-src directive will be used.

  • Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.

  • Do not use broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.

Examples

  • Allows images from the same origin and a specific external site

    Content-Security-Policy: img-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <img src='/images/logo.png'>
    
    <!-- allowed by 'self' -->
    <link rel='icon' href='/favicon.ico'>
    
    <!-- allowed by https://example.com -->
    <link rel='icon' href='https://example.com/favicon.ico'>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <img src='https://malicious.file.com/logo.png'>
    
    <!-- blocked as the domain is not authorized -->
    <link rel='icon' href='https://malicious.file.com/favicon.ico'>

child-src

child-src

The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. For workers, non-compliant requests are treated as fatal network errors by the user agent.

Recommended Values

  • 'self'

    Allows child frames and workers from the same origin

    Allows child frames and workers from the same origin

Explore detailed value definitions

Tips & Tricks

  • If child-src is not defined, the default-src directive will be used.

Examples

  • Allows child frames and workers from the same origin and a specific external site

    Content-Security-Policy: child-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <iframe src="/local-frame.html"></iframe>
    
    <!-- allowed by https://example.com -->
    <iframe src="https://example.com/external-frame.html"></iframe>
    
    <!-- allowed by 'self' -->
    <script>
      var worker = new Worker('/js/worker.js');
    </script>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <iframe src="https://malicious.website.com"></iframe>
    
    <!-- blocked as data: URI is not allowed -->
    <script>
      var blockedWorker = new Worker("data:application/JavaScript, ...");
    </script>

manifest-src

manifest-src

The manifest-src directive specifies the sources from which the manifest can be loaded.

Recommended Values

  • 'self'

    Allows manifest files from the same origin

    Allows manifest files from the same origin

Explore detailed value definitions

Tips & Tricks

  • If manifest-src is not defined, the default-src directive will be used.

Examples

  • Allows manifest files from the same origin and a specific external site

    Content-Security-Policy: manifest-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <link rel="manifest" href="/manifest.json">
    
    <!-- allowed by https://example.com -->
    <link rel="manifest" href="https://example.com/manifest.json">

    Blocked

    <!-- blocked as the domain is not authorized -->
    <link rel="manifest" href="https://malicious.website.com/manifest.json">

media-src

media-src

The media-src directive specifies the sources from which media can be loaded such as <audio>, <track> and <video>.

Recommended Values

  • 'self'

    Allows media from the same origin

    Allows media from the same origin

  • https://subdomain.domain.com

    Allows media from a specific external site

    Allows media from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If media-src is not defined, the default-src directive will be used.

Examples

  • Allows media from the same origin and a specific external site

    Content-Security-Policy: media-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <video src='/video.mp4'></video>
    
    <!-- allowed by https://example.com -->
    <video src='https://example.com/video.mp4'></video>
    
    <!-- allowed by 'self' -->
    <audio src='/audio.mp3'></audio>
    
    <!-- allowed by https://example.com -->
    <audio src='https://example.com/audio.mp3'>
        <track kind='subtitles' src='https://example.com/captions.vtt' srclang='en'>
    </audio>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <video src='https://malicious.file.com/video.mp4'></video>
    
    <!-- blocked as the domain is not authorized -->
    <audio src='https://unauthorized.com/audio.mp3'></audio>
    
    <!-- blocked as the domain is not authorized -->
    <audio src='/audio.mp3'>
        <track kind='subtitles' src='https://unauthorized.com/captions.vtt' srclang='en'>
    </audio>

object-src

object-src

The object-src directive specifies the sources from which <object>, <embed>, and <applet> elements can be loaded.

Recommended Values

  • 'none'

    Disallows all object sources

    Disallows all object sources

Explore detailed value definitions

Tips & Tricks

  • If object-src is not defined, the default-src directive will be used.

  • Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.

Examples

  • Allows objects from the same origin and a specific external site

    Content-Security-Policy: object-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <object data='/js/my_font.js'></object>
    
    <!-- allowed by https://example.com -->
    <object data='https://example.com/myfont.js'></object>

    Blocked

    <!-- blocked as the domain is not authorized -->
    <embed src="https://malicious.website.com/flash"></embed>
    
    <!-- blocked as the domain is not authorized -->
    <object data="https://malicious.website.com/plugin"></object>
    
    <!-- blocked as the domain is not authorized -->
    <applet archive="https://malicious.website.com/java"></applet>

connect-src

connect-src

The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are: <a ping=''>, fetch(), XMLHttpRequest, EventSource, WebSocket and navigator.sendBeacon()

Recommended Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If connect-src is not defined, the default-src directive will be used.

  • Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: connect-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <a href='/page.html'>Page</a>
    
    <!-- allowed by https://example.com -->
    <a href='https://example.com/page.html'>Page</a>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <a ping='https://malicious.website.com'>Page</a>
    
    <!-- blocked -->
    <script>
     var xhr = new XMLHttpRequest();
     xhr.open('GET', 'https://malicious.website.com/');
     xhr.send();
    
     <!-- blocked -->
     var ws = new WebSocket('https://malicious.website.com/');
    
     <!-- blocked -->
     var es = new EventSource('https://malicious.website.com/');
    
     <!-- blocked -->
     navigator.sendBeacon('https://malicious.website.com/', {...});
    </script>

plugin-types

plugin-types

The plugin-types directive specifies the MIME types of plugins that can be embedded in the document. This directive is deprecated and object-src should be used instead.

Tips & Tricks

  • This directive is deprecated

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: plugin-types application/x-java-applet

    Allowed

    <!-- allowed by application/x-java-applet -->
    <object type='application/x-java-applet' data='/java/player.class'></object>

    Blocked

    <!-- blocked as application/x-shockwave-flash is not allowed -->
    <object type='application/x-shockwave-flash' data='/flash/player.swf'></object>

prefetch-src

prefetch-src

The prefetch-src directive specifies valid sources for prefetching.

Recommended Values

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If prefetch-src is not defined, the default-src directive will be used.

  • Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *

  • This directive is not supported by all browsers

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: prefetch-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <link rel='prefetch' href='/js/my_font.js'>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>

frame-src

frame-src

The frame-src directive specifies valid sources for iframe in the document.

Recommended Values

  • 'none'

    Disallows all frame sources

    Disallows all frame sources

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If frame-src is not defined, the child-src directive will be used (which falls back to default-src)

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: frame-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <iframe src='/iframe.html'></iframe>
    
    <!-- allowed by https://example.com -->
    <iframe src='https://example.com/iframe.html'></iframe>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <iframe src='https://malicious.website.com/iframe.html'></iframe>

fenced-frame-src

fenced-frame-src

The fenced-frame-src directive is used to specify the sources from which scripts can be loaded for fenced frames.

Recommended Values

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • This directive is experimental and may not be supported by all browsers.

  • Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: fenced-frame-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <script>
      var fencedFrame = document.createElement('fencedframe');
    </script>
    
    <!-- allowed by https://example.com -->
    <script>
      var fencedFrame = document.createElement('fencedframe');
      fencedFrame.src = 'https://example.com/fenced-frame.html';
    </script>

    Blocked

    <!-- blocked as data: URI is not allowed -->
    <script>
      var blockedFencedFrame = document.createElement('fencedframe');
      blockedFencedFrame.src = 'data:application/JavaScript, ...';
    </script>
    
    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <script>
      var blockedFencedFrame = document.createElement('fencedframe');
      blockedFencedFrame.src = 'https://malicious.website.com/fenced-frame.html';
    </script>

worker-src

worker-src

The worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

Recommended Values

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive)

  • Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: worker-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <script>
      var worker = new Worker('/js/worker.js');
    </script>
    
    <!-- allowed by https://example.com -->
    <script>
      var sharedWorker = new SharedWorker('https://example.com/shared-worker.js');
    </script>
    
    <!-- allowed by 'self' -->
    <script>
      navigator.serviceWorker.register('/service-worker.js');
    </script>

    Blocked

    <!-- blocked as data: URI is not allowed -->
    <script>
      var blockedWorker = new Worker("data:application/JavaScript, ...");
    </script>
    
    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <script>
      blockedWorker = new SharedWorker("https://malicious.website.com/");
    </script>
    
    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <script>
      navigator.serviceWorker.register('https://malicious.website.com/sw.js');
    </script>

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025