The default fallback for other fetch directives. If other fetch directives are not explicitly defined, they fall back to the values specified in default-src.
Learn more about the font-src directive and how to use it to control the loading of fonts. See how to setup the font-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which JavaScript sources can be loaded and executed, See how to setup the script-src directive to have a secure Content-Security-Policy and compliant policy.
Controls inline event handlers and script attributes, See how to setup the script-src-attr directive to have a secure Content-Security-Policy and compliant policy.
Controls which script elements can be loaded, See how to setup the script-src-elem directive to have a secure Content-Security-Policy and compliant policy.
Controls which CSS sources can be loaded, See how to setup the style-src directive to have a secure Content-Security-Policy and compliant policy.
Controls inline style attributes, See how to setup the style-src-attr directive to have a secure Content-Security-Policy and compliant policy.
Learn more about the style-src-elem directive and how to use it to control the loading of stylesheets. See how to setup the style-src-elem in the content-security-policy and it's relation with the style-src-attr directive.
Controls which DOM sink functions can accept values, See how to setup the trusted-types directive to have a secure Content-Security-Policy and compliant policy.
Controls which image sources can be loaded, See how to setup the img-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be loaded into a child browsing context, See how to setup the child-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which manifest sources can be loaded, See how to setup the manifest-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which media sources can be loaded, See how to setup the media-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which plugin content can be loaded, See how to setup the object-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs the application can connect to via script interfaces, See how to setup the connect-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which plugins can be loaded by the document, See how to setup the plugin-types directive to have a secure Content-Security-Policy and compliant policy.
Controls which resources can be prefetched or prerendered, See how to setup the prefetch-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be loaded into a browsing context, See how to setup the frame-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be loaded into a fenced frame, See how to setup the fenced-frame-src directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be loaded as a Worker, SharedWorker, or ServiceWorker, See how to setup the worker-src directive to have a secure Content-Security-Policy and compliant policy.
Specifies a URI to which violation reports will be sent, See how to setup the report-uri directive to have a secure Content-Security-Policy and compliant policy.
Specifies a reporting group to which violation reports will be sent, See how to setup the report-to directive to have a secure Content-Security-Policy and compliant policy.
Controls which parent pages can embed the page using frame, iframe, object, or similar elements, See how to setup the frame-ancestors directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be used as the action of HTML forms, See how to setup the form-action directive to have a secure Content-Security-Policy and compliant policy.
Controls which URLs can be used in a document's <base> element, See how to setup the base-uri directive to have a secure Content-Security-Policy and compliant policy.
Applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
Controls which DOM sink functions require trusted types, See how to setup the require-trusted-types-for directive to have a secure Content-Security-Policy and compliant policy.
Prevents loading any assets over HTTP when the page is loaded over HTTPS, See how to setup the block-all-mixed-content directive to have a secure Content-Security-Policy and compliant policy.
Instructs browsers to upgrade all HTTP requests to HTTPS, See how to setup the upgrade-insecure-requests directive to have a secure Content-Security-Policy and compliant policy.
Previous doc
What is the CSP ?
Next doc
CSP Values
