Fetching
The fetching directives are used to control the resources that can be loaded by the browser.
default-src
default-src
The default-src is the fall back directive for all fetch directives. It sets the default policy for fetching resources
Recommended Values
'self'
Allows resources from the same origin
Allows resources from the same origin
https://subdomain.example.com
Allows resources from a specific external site
Allows resources from a specific external site
Explore detailed value definitions
Tips & Tricks
default-src is a fall back directive. If a more specific fetch directive is defined, it will override default-src for that resource type.
Using 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' can introduce security vulnerabilities. Use with caution.
Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.
Examples
recommended usage, allows only resources from the same origin, other sources should be defined in a specific fetch directive
Content-Security-Policy: default-src 'self';
Allowed
<!-- allowed by 'self' --> <script src='/js/my_font.js'></script>
Blocked
<!-- blocked as the domain is not authorized --> <script src='https://malicious.file.com/hihi.js'></script> <!-- blocked as inline script is not allowed --> <script>alert('Hello there');</script> <!-- blocked as event handlers are not allowed --> <button onclick="alert('Hello there');">Click me</button>
font-src
font-src
The font-src directive specifies the sources from which fonts can be loaded.
Recommended Values
'self'
Allows resources from the same origin
Allows resources from the same origin
https://subdomain.domain.com
Allows resources from a specific external site
Allows resources from a specific external site
Explore detailed value definitions
Tips & Tricks
If font-src is not defined, the default-src directive will be used.
Examples
Allows resources from the same origin and a specific external site
Content-Security-Policy: font-src 'self' https://fonts.gstatic.com;
Allowed
<!-- allowed by 'self' --> @font-face { font-family: 'MyFont'; src: url('/fonts/font.ttf'); } <!-- allowed by https://fonts.gstatic.com --> @font-face { font-family: 'ExternalFont'; src: url('https://fonts.gstatic.com/fonts/font.ttf'); }
Blocked
<!-- blocked as the domain is not authorized --> @font-face { font-family: 'MaliciousFont'; src: url('https://malicious.file.com/font.ttf'); }
script-src
script-src
The script-src directive specifies the sources from which scripts can be loaded.
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
sha256-<hash>
Allows scripts with a specific hash
Allows scripts with a specific hash
nonce-<random>
Allows scripts with a specific nonce value
Allows scripts with a specific nonce value
strict-dynamic
Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.
Allows all inline scripts and inline event handlers, but only if they are from the same origin as the document.
Explore detailed value definitions
Tips & Tricks
The nonce value must be unique for each request and must be the same as the one specified in the Content-Security-Policy header.
Hashes can also be used to allow specific scripts. See the values section for more information.
Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.
Using broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.
Using 'strict-dynamic' allows all inline scripts and inline event handlers, but only if they are from the same origin as the document. This can be useful for allowing inline scripts in a specific context.
Available Values
'none'
Blocks all scripts
Blocks all scripts
'self'
Allows scripts from the same origin
Allows scripts from the same origin
subdomain.domain
Allows scripts from a specific domain
Allows scripts from a specific domain
sha256-<hash>
Allows scripts with a specific hash
Allows scripts with a specific hash
nonce-<random>
Allows scripts with a specific nonce value
Allows scripts with a specific nonce value
'report-sample'
Includes script samples in violation reports for debugging
Includes script samples in violation reports for debugging
'strict-dynamic'
Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes
Allows scripts loaded by trusted scripts, ignoring allowlist and requiring nonces/hashes
'unsafe-inline'
Allows all inline scripts (not recommended)
Allows all inline scripts (not recommended)
'unsafe-eval'
Allows the use of eval() and similar dynamic code execution methods (not recommended)
Allows the use of eval() and similar dynamic code execution methods (not recommended)
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: script-src 'self' https://example.com 'nonce-zf48z4fefDOg94qDef5EE6eFqzf15' ;
Allowed
<!-- allowed by 'self' --> <script src='/js/my_font.js'></script> <!-- allowed by https://example.com --> <script src='https://example.com/myfont.js'></script> <!-- allowed by nonce --> <script nonce='zf48z4fefDOg94qDef5EE6eFqzf15'>alert('Hello there');</script>
Blocked
<!-- blocked as the domain is not authorized --> <script src='https://malicious.file.com/hihi.js'></script> <!-- blocked as inline script is not allowed --> <script>alert('Hello there');</script> <!-- blocked as event handlers are not allowed --> <button onclick="alert('Hello there');">Click me</button>
script-src-attr
script-src-attr
The script-src-attr directive specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements.
Recommended Values
'none'
Blocks all inline scripts (recommended)
Blocks all inline scripts (recommended)
'sha256-<hash>'
Allows inline event handlers that match a specific hash
Allows inline event handlers that match a specific hash
'report-sample'
Includes samples of blocked scripts in violation reports to help with debugging
Includes samples of blocked scripts in violation reports to help with debugging
Explore detailed value definitions
Tips & Tricks
Do not use event handlers like 'onclick' in the tag. Favor the use of line like 'document.getElementById('btn').addEventListener('click', doSomething)' instead.
Using 'unsafe-hashes' with this directive can be risky. Consider using hashes instead.
This directive is more specific than script-src and only applies to inline event handlers.
Available Values
'none'
Blocks all inline styles (recommended)
Blocks all inline styles (recommended)
'sha256-<hash>'
Allows inline event handlers that match a specific hash
Allows inline event handlers that match a specific hash
'report-sample'
Includes samples of blocked scripts in violation reports to help with debugging
Includes samples of blocked scripts in violation reports to help with debugging
'unsafe-inline'
Allows all inline event handlers (not recommended)
Allows all inline event handlers (not recommended)
'unsafe-hashes'
Allows event handlers that match hash (use with caution)
Allows event handlers that match hash (use with caution)
Examples
Allows inline event handlers from the same origin
Content-Security-Policy: script-src-attr 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=';
Allowed
<!-- allowed by 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=' --> <button onclick="alert('Hello')">Click me</button>
Blocked
<!-- blocked as the hash of the script is not in the directive --> <button onclick="alert('An other text')">Click me</button>
script-src-elem
script-src-elem
The script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick. It allows you to control where <script> tags can load JavaScript from, providing an additional layer of security for your web application.
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
nonce-<random>
Allows scripts with a specific nonce value
Allows scripts with a specific nonce value
'sha256-<hash>'
Allows scripts that match a specific hash
Allows scripts that match a specific hash
'report-sample'
Includes samples of blocked scripts in violation reports to help with debugging
Includes samples of blocked scripts in violation reports to help with debugging
Explore detailed value definitions
Tips & Tricks
Using 'report-sample' is recommended as it includes samples of blocked scripts in violation reports, helping with debugging.
This directive is more specific than script-src and only applies to <script> elements, not to inline event handlers or JavaScript: URLs.
Using 'unsafe-inline' with this directive can be risky. Consider using nonces or hashes instead for inline scripts.
When using hashes, make sure to include the 'unsafe-hashes' source expression if you need to allow event handlers and JavaScript: URLs.
Available Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
'none'
Blocks all scripts
Blocks all scripts
'nonce-<random>'
Allows scripts with a matching nonce attribute
Allows scripts with a matching nonce attribute
'sha256-<hash>'
Allows scripts matching a specific hash value
Allows scripts matching a specific hash value
https://example.com
Allows scripts from specific trusted domains
Allows scripts from specific trusted domains
'strict-dynamic'
Allows scripts loaded by trusted scripts, ignoring static allowlist
Allows scripts loaded by trusted scripts, ignoring static allowlist
'report-sample'
Includes script samples in violation reports for debugging
Includes script samples in violation reports for debugging
'unsafe-inline'
Allows inline scripts in <script> tags (not recommended)
Allows inline scripts in <script> tags (not recommended)
'unsafe-eval'
Allows use of eval() and similar functions (strongly discouraged)
Allows use of eval() and similar functions (strongly discouraged)
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: script-src-elem 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <script src='/js/app.js'></script> <!-- allowed by https://example.com --> <script src='https://example.com/js/library.js'></script>
Blocked
<!-- blocked as the domain is not authorized --> <script src='https://malicious.website.com/js/script.js'></script> <!-- blocked as inline scripts are not allowed --> <script>alert('Hello');</script>
style-src
style-src
The style-src directive specifies the sources from which stylesheets can be loaded.
Recommended Values
'self'
Allows styles from the same origin
Allows styles from the same origin
https://subdomain.domain.com
Allows styles from a specific external site
Allows styles from a specific external site
nonce-<random>
Allows styles with a specific nonce value
Allows styles with a specific nonce value
sha256-<hash>
Allows styles with a specific hash
Allows styles with a specific hash
Explore detailed value definitions
Tips & Tricks
To allow inline styles, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.
It is recommended using a nonce-source or hash instead of hashes to allow specific styles as it will be easier to maintain.
Using 'unsafe-inline' is not recommended as it allows all inline styles, which can be a security risk. Consider using nonces or hashes instead.
Available Values
'none'
Blocks all style sources
Blocks all style sources
'self'
Allows styles from the same origin
Allows styles from the same origin
'sha256-<hash>'
Allows styles matching a specific hash
Allows styles matching a specific hash
https://example.com
Allows loading styles from specific origins
Allows loading styles from specific origins
'report-sample'
Requires the first 40 characters of the blocked style to be included in violation reports
Requires the first 40 characters of the blocked style to be included in violation reports
'unsafe-inline'
Allows inline styles and style attributes (not recommended)
Allows inline styles and style attributes (not recommended)
Examples
Allows stylesheets from the same origin, a specific external site, and with a nonce
Content-Security-Policy: style-src 'self' https://example.com 'nonce-2726c7f26c';
Allowed
<!-- allowed by 'self' --> <link rel='stylesheet' href='/css/style.css'> <!-- allowed by https://example.com --> <link rel='stylesheet' href='https://example.com/css/style.css'> <!-- allowed by nonce --> <style nonce="2726c7f26c"> inline-style {background: red;} </style> <!-- allowed by 'self' --> <div style="display:none">Foo</div>
Blocked
<!-- blocked as the domain is not authorized --> <link href="https://malicious.website.com/styles/main.css" rel="stylesheet" type="text/css" /> <!-- blocked as the domain is not authorized and no nonce --> <style> @import url("https://malicious.website.com/styles/sheet.css") ; </style> <!-- blocked as the domain is not authorized --> <link> href="https://malicious.website.com/styles/stylesheet.css" rel="stylesheet" type="text/css" />
style-src-attr
style-src-attr
The style-src-attr directive specifies valid sources for inline styles applied to individual DOM elements.
Recommended Values
'none'
Blocks all inline styles (recommended)
Blocks all inline styles (recommended)
sha256-<hash>
Allows inline styles with a specific hash
Allows inline styles with a specific hash
Explore detailed value definitions
Tips & Tricks
If style-src-attr is not set, the user agent will look for style-src, and if that is not set, default-src is used.
Using 'unsafe-inline' allows all inline styles and may introduce security risks. Consider using nonces or hashes instead.
Using 'unsafe-hashes' allows event handlers like :hover but requires hashes for each one. Use with caution.
Examples
Allows inline styles from the same origin and with a hash
Content-Security-Policy: style-src-attr 'sha256-jkHJ83JF7jf83jF83Jj38fJ3j8FJ38fj3F8jf38==';
Allowed
<!-- allowed by hash --> <p style="color: red;">Red text</p>
Blocked
<!-- blocked as no 'unsafe-inline' and hash doesn't match --> <span style="font-weight: bold;">Bold text</span>
style-src-elem
style-src-elem
The style-src-elem directive specifies valid sources for stylesheets loaded using <style> elements and <link> elements with rel="stylesheet".
Recommended Values
'self'
Allows stylesheets from the same origin
Allows stylesheets from the same origin
nonce-<random>
Allows stylesheets with a specific nonce value
Allows stylesheets with a specific nonce value
sha256-<hash>
Allows stylesheets with a specific hash
Allows stylesheets with a specific hash
domain.example
Allows stylesheets from a specific domain
Allows stylesheets from a specific domain
Explore detailed value definitions
Tips & Tricks
If style-src-elem is not set, the user agent will look for style-src, and if that is not set, default-src is used.
Using 'unsafe-inline' allows all inline styles and may introduce security risks. Consider using nonces or hashes instead.
Examples
Allows stylesheets from the same origin, a specific domain, and with a nonce
Content-Security-Policy: style-src-elem 'self' 'nonce-2726c7f26c' https://cdn.example.com;
Allowed
<!-- allowed by 'self' --> <link rel="stylesheet" href="/styles/main.css"> <!-- allowed by nonce --> <style nonce="2726c7f26c">body {background-color: #f0f0f0;}</style> <!-- allowed by cdn.example.com --> <link rel="stylesheet" href="https://cdn.example.com/framework.css">
Blocked
<!-- blocked as no 'unsafe-inline' and no matching nonce --> <style>p {color: red;}</style> <!-- blocked as domain not in allowed list --> <link rel="stylesheet" href="https://cdn.otherdomain.com/styles.css">
trusted-types
trusted-types
The trusted-types directive helps prevent XSS attacks by requiring special security-checked values (called 'trusted types') instead of raw strings when modifying sensitive parts of a webpage.
Tips & Tricks
This directive is experimental and may not be supported in all browsers.
Together with require-trusted-types-for directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allowlist of trusted type policy names created with trustedTypes.createPolicy from Trusted Types API.
Available Values
<policyName>
A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.
A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.
'none'
A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.
A valid policy name that can contain alphanumeric characters and -#=_/@.%. Using * allows any unique policy name.
'allow-duplicates'
Allows duplicate policy names
Allows duplicate policy names
Examples
Allows trusted types from the same origin
Content-Security-Policy: trusted-types mypolicy1 mypolicy2 'allow-duplicates';
Allowed
<!-- allowed by mypolicy1 mypolicy2 'allow-duplicates' --> <script> const policyFoo = trustedTypes.createPolicy('mypolicy1'', {}); const policyFoo = trustedTypes.createPolicy('mypolicy1', {}); const policyFoo = trustedTypes.createPolicy('mypolicy2', {}); </script>
Blocked
<!-- blocked as the policy name is not allowed --> <script> const policyFoo = trustedTypes.createPolicy(''mypolicy3'', {}); </script>
img-src
img-src
The img-src directive specifies the sources from which images & favicons can be loaded.
Recommended Values
'self'
Allows images from the same origin
Allows images from the same origin
https://subdomain.domain.com
Allows images from a specific external site
Allows images from a specific external site
Explore detailed value definitions
Tips & Tricks
If img-src is not defined, the default-src directive will be used.
Do not use 'unsafe-inline' 'unsafe-eval' or 'unsafe-hashes' as it may introduce security vulnerabilities. Use with caution.
Do not use broad keywords like 'data:' 'blob:' 'http:' 'https:' is too permissive and may introduce security vulnerabilities. Use with caution.
Examples
Allows images from the same origin and a specific external site
Content-Security-Policy: img-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <img src='/images/logo.png'> <!-- allowed by 'self' --> <link rel='icon' href='/favicon.ico'> <!-- allowed by https://example.com --> <link rel='icon' href='https://example.com/favicon.ico'>
Blocked
<!-- blocked as the domain is not authorized --> <img src='https://malicious.file.com/logo.png'> <!-- blocked as the domain is not authorized --> <link rel='icon' href='https://malicious.file.com/favicon.ico'>
child-src
child-src
The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. For workers, non-compliant requests are treated as fatal network errors by the user agent.
Recommended Values
'self'
Allows child frames and workers from the same origin
Allows child frames and workers from the same origin
Explore detailed value definitions
Tips & Tricks
If child-src is not defined, the default-src directive will be used.
Examples
Allows child frames and workers from the same origin and a specific external site
Content-Security-Policy: child-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <iframe src="/local-frame.html"></iframe> <!-- allowed by https://example.com --> <iframe src="https://example.com/external-frame.html"></iframe> <!-- allowed by 'self' --> <script> var worker = new Worker('/js/worker.js'); </script>
Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <iframe src="https://malicious.website.com"></iframe> <!-- blocked as data: URI is not allowed --> <script> var blockedWorker = new Worker("data:application/JavaScript, ..."); </script>
manifest-src
manifest-src
The manifest-src directive specifies the sources from which the manifest can be loaded.
Recommended Values
'self'
Allows manifest files from the same origin
Allows manifest files from the same origin
Explore detailed value definitions
Tips & Tricks
If manifest-src is not defined, the default-src directive will be used.
Examples
Allows manifest files from the same origin and a specific external site
Content-Security-Policy: manifest-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <link rel="manifest" href="/manifest.json"> <!-- allowed by https://example.com --> <link rel="manifest" href="https://example.com/manifest.json">
Blocked
<!-- blocked as the domain is not authorized --> <link rel="manifest" href="https://malicious.website.com/manifest.json">
media-src
media-src
The media-src directive specifies the sources from which media can be loaded such as <audio>, <track> and <video>.
Recommended Values
'self'
Allows media from the same origin
Allows media from the same origin
https://subdomain.domain.com
Allows media from a specific external site
Allows media from a specific external site
Explore detailed value definitions
Tips & Tricks
If media-src is not defined, the default-src directive will be used.
Examples
Allows media from the same origin and a specific external site
Content-Security-Policy: media-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <video src='/video.mp4'></video> <!-- allowed by https://example.com --> <video src='https://example.com/video.mp4'></video> <!-- allowed by 'self' --> <audio src='/audio.mp3'></audio> <!-- allowed by https://example.com --> <audio src='https://example.com/audio.mp3'> <track kind='subtitles' src='https://example.com/captions.vtt' srclang='en'> </audio>
Blocked
<!-- blocked as the domain is not authorized --> <video src='https://malicious.file.com/video.mp4'></video> <!-- blocked as the domain is not authorized --> <audio src='https://unauthorized.com/audio.mp3'></audio> <!-- blocked as the domain is not authorized --> <audio src='/audio.mp3'> <track kind='subtitles' src='https://unauthorized.com/captions.vtt' srclang='en'> </audio>
object-src
object-src
The object-src directive specifies the sources from which <object>, <embed>, and <applet> elements can be loaded.
Recommended Values
'none'
Disallows all object sources
Disallows all object sources
Explore detailed value definitions
Tips & Tricks
If object-src is not defined, the default-src directive will be used.
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Examples
Allows objects from the same origin and a specific external site
Content-Security-Policy: object-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <object data='/js/my_font.js'></object> <!-- allowed by https://example.com --> <object data='https://example.com/myfont.js'></object>
Blocked
<!-- blocked as the domain is not authorized --> <embed src="https://malicious.website.com/flash"></embed> <!-- blocked as the domain is not authorized --> <object data="https://malicious.website.com/plugin"></object> <!-- blocked as the domain is not authorized --> <applet archive="https://malicious.website.com/java"></applet>
connect-src
connect-src
The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are: <a ping=''>, fetch(), XMLHttpRequest, EventSource, WebSocket and navigator.sendBeacon()
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If connect-src is not defined, the default-src directive will be used.
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: connect-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <a href='/page.html'>Page</a> <!-- allowed by https://example.com --> <a href='https://example.com/page.html'>Page</a>
Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <a ping='https://malicious.website.com'>Page</a> <!-- blocked --> <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://malicious.website.com/'); xhr.send(); <!-- blocked --> var ws = new WebSocket('https://malicious.website.com/'); <!-- blocked --> var es = new EventSource('https://malicious.website.com/'); <!-- blocked --> navigator.sendBeacon('https://malicious.website.com/', {...}); </script>
plugin-types
plugin-types
The plugin-types directive specifies the MIME types of plugins that can be embedded in the document. This directive is deprecated and object-src should be used instead.
Tips & Tricks
This directive is deprecated
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: plugin-types application/x-java-applet
Allowed
<!-- allowed by application/x-java-applet --> <object type='application/x-java-applet' data='/java/player.class'></object>
Blocked
<!-- blocked as application/x-shockwave-flash is not allowed --> <object type='application/x-shockwave-flash' data='/flash/player.swf'></object>
prefetch-src
prefetch-src
The prefetch-src directive specifies valid sources for prefetching.
Recommended Values
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If prefetch-src is not defined, the default-src directive will be used.
Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *
This directive is not supported by all browsers
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: prefetch-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <link rel='prefetch' href='/js/my_font.js'>
Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>
frame-src
frame-src
The frame-src directive specifies valid sources for iframe in the document.
Recommended Values
'none'
Disallows all frame sources
Disallows all frame sources
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If frame-src is not defined, the child-src directive will be used (which falls back to default-src)
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: frame-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <iframe src='/iframe.html'></iframe> <!-- allowed by https://example.com --> <iframe src='https://example.com/iframe.html'></iframe>
Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <iframe src='https://malicious.website.com/iframe.html'></iframe>
fenced-frame-src
fenced-frame-src
The fenced-frame-src directive is used to specify the sources from which scripts can be loaded for fenced frames.
Recommended Values
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
This directive is experimental and may not be supported by all browsers.
Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: fenced-frame-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <script> var fencedFrame = document.createElement('fencedframe'); </script> <!-- allowed by https://example.com --> <script> var fencedFrame = document.createElement('fencedframe'); fencedFrame.src = 'https://example.com/fenced-frame.html'; </script>
Blocked
<!-- blocked as data: URI is not allowed --> <script> var blockedFencedFrame = document.createElement('fencedframe'); blockedFencedFrame.src = 'data:application/JavaScript, ...'; </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> var blockedFencedFrame = document.createElement('fencedframe'); blockedFencedFrame.src = 'https://malicious.website.com/fenced-frame.html'; </script>
worker-src
worker-src
The worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive)
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: worker-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <script> var worker = new Worker('/js/worker.js'); </script> <!-- allowed by https://example.com --> <script> var sharedWorker = new SharedWorker('https://example.com/shared-worker.js'); </script> <!-- allowed by 'self' --> <script> navigator.serviceWorker.register('/service-worker.js'); </script>
Blocked
<!-- blocked as data: URI is not allowed --> <script> var blockedWorker = new Worker("data:application/JavaScript, ..."); </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> blockedWorker = new SharedWorker("https://malicious.website.com/"); </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> navigator.serviceWorker.register('https://malicious.website.com/sw.js'); </script>