HTTP Content Security Policy HTTP response headers help Web documents identify the valid sources to load various objects from like javascript, CSS files, etc. It is commonly denoted by CSP and has 3 versions as of now.
Apart from response header, this policy can also be defined in meta, the reference link on how to do that is provided in the end.
Different attribute are listed below for different objects and configurations:
| Attribute | Description | CSP Level |
| default-src | Lists valid sources for everything | CSP 1 |
| script-src | Lists valid sources for scripts | CSP 1 |
| style-src | Lists valid sources for stylesheets | CSP 1 |
| img-src | Lists valid sources for images | CSP 1 |
| connect-src | Applies to XMLHttpRequest – AJAX, websocket,fetch(), <a ping> and EventSource | CSP 1 |
| font-src | Lists valid font resources | CSP 1 |
| object-src | Lists valid sources for <object> <embed> <applet> | CSP 1 |
| media-src | Lists valid sources for media <audio> <video> | CSP 1 |
| frame-src | Lists valid sources to list frame sources <frame>, depriciated and replaced by child-src, undepriciated in CSP 3 | CSP 1 |
| sandbox | Creates a sandbox for requested resource similar to iframe sandbox | CSP 1 |
| report-uri | Instructs the browser to POST a report of policy failures to this URI, depriciated in CSP3 | CSP 1 |
| child-src | Defines valid sources for web to be loaded by <frame> | CSP 2 |
| form-action | Defines valid sources that can be used as HTML <form> action | CSP 2 |
| frame-ancestors | Defines valid sources for embedding the resource using frame/iframe/object/embed/applet tags | CSP 2 |
| plugin-types | Defines valid MIME types for plugins invoked via <object> and <embed> | CSP 2 |
| base-uri | Defines set of allowed URLs which can be used in the src | CSP 2 |
| report-to | Defines reporting group name defined by HTTP response header | CSP 3 |
| worker-src | Restricts URL which can be loaded as a worker | CSP 3 |
| manifest-src | Restricts the URLs that application manifests can be loaded | CSP 3 |
| prefetch-src | Lists valid sources for request prefetch and prerendering | CSP 3 |
| navigate-to | Restricts URL that page navigated to | CSP 3 |
References:
https://content-security-policy.com/
https://content-security-policy.com/examples/meta/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
