HTTP Content Security Policy

HTTP Content Security Policy HTTP response headers help Web documents identify the valid sources to load various objects from like javascript, CSS files, etc. It is commonly denoted by CSP and has 3 versions as of now.

Apart from response header, this policy can also be defined in meta, the reference link on how to do that is provided in the end.

Different attribute are listed below for different objects and configurations:

AttributeDescriptionCSP Level
default-srcLists valid sources for everythingCSP 1
script-srcLists valid sources for scriptsCSP 1
style-srcLists valid sources for stylesheetsCSP 1
img-srcLists valid sources for imagesCSP 1
connect-srcApplies to XMLHttpRequest – AJAX, websocket,fetch(), <a ping> and EventSourceCSP 1
font-srcLists valid font resourcesCSP 1
object-srcLists valid sources for <object> <embed> <applet>CSP 1
media-srcLists valid sources for media <audio> <video>CSP 1
frame-srcLists valid sources to list frame sources <frame>, depriciated and replaced by child-src, undepriciated in CSP 3CSP 1
sandboxCreates a sandbox for requested resource similar to iframe sandboxCSP 1
report-uriInstructs the browser to POST a report of policy failures to this URI, depriciated in CSP3CSP 1
child-srcDefines valid sources for web to be loaded by <frame>CSP 2
form-actionDefines valid sources that can be used as HTML <form> actionCSP 2
frame-ancestorsDefines valid sources for embedding the resource using frame/iframe/object/embed/applet tagsCSP 2
plugin-typesDefines valid MIME types for plugins invoked via <object> and <embed>CSP 2
base-uriDefines set of allowed URLs which can be used in the srcCSP 2
report-toDefines reporting group name defined by HTTP response headerCSP 3
worker-srcRestricts URL which can be loaded as a workerCSP 3
manifest-srcRestricts the URLs that application manifests can be loadedCSP 3
prefetch-srcLists valid sources for request prefetch and prerenderingCSP 3
navigate-toRestricts URL that page navigated toCSP 3