Content Security Policy

Fetch directives

Fetch directives control the origins from which different types of resources can be loaded. These policies enhance security by limiting or allowing content based on its source.

All fetch directives can be set to ‘none’ to completely block a resource type or list one or more source expressions that are permitted origins. These source expressions include host sources, scheme sources, or special keywords, and their syntax is detailed in the fetch directive syntax section.

Common fetch directives include child-src for web workers and nested browsing contexts, connect-src for script interfaces, default-src as a fallback, font-src for fonts, img-src for images and icons, and more. Some directives might be marked as experimental or deprecated.

Document directives

Document directives establish policies for properties of documents or worker environments. They manage aspects like URL restrictions and sandboxing.

Navigation directives

Navigation directives specify the URLs or destinations where users are permitted to navigate or submit forms, imposing limits on potential navigation targets.

Reporting directives

Reporting directives specify where Content Security Policy violation reports should be sent. They facilitate monitoring and debugging by sending details about security policy violations to designated endpoints.

Other directives

Additional directives include require-trusted-types-for, which enforces Trusted Types at points where DOM XSS injections can occur, trusted-types for allowing specific policies, and upgrade-insecure-requests to automatically change insecure URLs to HTTPS.

Deprecated directives

Some directives, such as block-all-mixed-content and report-uri, are no longer recommended. They should be replaced by modern alternatives like upgrade-insecure-requests and report-to.

Fetch directive syntax

Fetch directives accept either a single value ‘none’ to block resources or one or more source expressions that specify valid origins. Source expressions come in various formats, including:

• <host-source>: specifies a host or IP address, with optional scheme, port, and path. Wildcards like * can match subdomains or ports.
• <scheme-source>: specifies a URL scheme such as https: or wss:.
• <nonce-<nonce_value>>: a random value generated by the server for scripts or styles.
• <hash_algorithm-hash_value>: a cryptographic hash of inline scripts or styles, allowing integrity verification.
• ‘self’: resources from the same origin as the document.
• ‘unsafe-inline’: allows inline scripts or styles, which reduces security.
• ‘unsafe-eval’: permits the execution of code from strings, generally discouraged.
• ‘wasm-unsafe-eval’: allows WebAssembly to be compiled from strings.
• ‘strict-dynamic’: trust is extended to dynamically loaded scripts initiated by a trusted script.

Source expressions should be formatted according to the security considerations for each resource type, typically with unquoted host or scheme sources and quoted source expressions as needed.

Nonces and Hashes

Nonces are unique, Base64-encoded strings generated per response to permit specific inline scripts or styles. For example:

'nonce-base64-encoded-string'

Hashes specify the cryptographic hash of inline scripts or styles for integrity verification, such as:

'sha256-base64hash'

When hashes or nonces are used, inline scripts or styles must include matching attributes. They improve security by allowing specific inline code while preventing injection attacks.

<host-source>

The URL or IP address of a host that is a valid source for the resource, with optional scheme, port, and path. Wildcards allow matching subdomains or all ports. Path matching can be prefix or exact, providing detailed control over resource origins.

<scheme-source>

The URL scheme, such as https: or wss:. Secure upgrades are permitted, meaning resources requested over HTTP can be loaded over HTTPS.

‘self’

Resources can only be loaded from the same origin as the document. If the document is served over HTTP, this allows HTTPS equivalents; the same applies to WebSocket schemes.

‘unsafe-eval’

Enables JavaScript evaluation functions like eval(), which are disabled by default or under strict CSPs for security reasons. Its use should be avoided unless essential, as it weakens content security.

‘wasm-unsafe-eval’

Allows WebAssembly code to be compiled from strings, bypassing default restrictions. Use with caution to avoid security risks.

‘unsafe-inline’

Permits inline JavaScript and CSS, including inline event handlers or style attributes. This significantly reduces security but might be necessary for legacy or specific applications.

‘unsafe-hashes’

Allows the execution of inline code based on hash expressions, enabling more specific control over inline scripts and styles. Use with caution, as allowing hashes can still introduce risks.

‘inline-speculation-rules’

Permits loading inline <script> elements that have a type attribute set to speculationrules.

‘strict-dynamic’

Extends trust from nonces or hashes to dynamically loaded scripts, allowing scripts created at runtime to inherit the same security policy. This is useful for scenarios involving dynamic script loading.

‘report-sample’

If included in a directive related to scripts or styles and violations occur, the violation report will include a sample of the content of the first blocked resource, aiding in debugging and security analysis.

CSP in workers

Workers are generally not subject to the CSP of the parent document unless their origin is a unique identifier like data: or blob:. To define policies for workers, set the Content-Security-Policy header for the request of the worker script.

Multiple content security policies

It is possible to specify multiple policies using multiple Content-Security-Policy headers, Content-Security-Policy-Report-Only headers, or <meta> tags.