Content Security Policy Directives
The HTTP Content-Security-Policy
response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Webscale’s Set Content Security Policy
action for Web Controls allows you to set the following directives. Click the name of each directive for more detailed information.
Note:
Any directives not listed here are not fully supported by all browsers. Therefore, they are not available for use in Web Controls. Most of the information on this page is from Mozilla’s Developer Docs, visit them for more information.Fetch directives
Fetch directives control locations from which certain resource types may be loaded. These directives also require that you specify a <source>
attribute.
Option | Description |
---|---|
Child source (child-src ) |
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> . |
Connect source (connect-src ) |
Restricts the URLs which can be loaded using script interfaces. |
Default source (default-src ) |
Serves as a fallback for the other fetch directives. |
Font source (font-src ) |
Specifies valid sources for fonts loaded using @font-face . |
Frame source (frame-src ) |
Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> . |
Image source (img-src ) |
Specifies valid sources of images and favicons. |
Media source (media-src ) |
Specifies valid sources for loading media using the <audio> , <video> and <track> elements. |
Object source (object-src ) |
Specifies valid sources for the <object> , <embed> , and <applet> elements. |
Script source (script-src ) |
Specifies valid sources for JavaScript. |
Style source (style-src ) |
Specifies valid sources for CSS stylesheets. |
Document directives
Document directives govern the properties of a document or web worker environment to which a policy applies.
Option | Description |
---|---|
Base URI (base-uri ) |
Restricts the URLs which can be used in a document’s <base> element. Accepts a <source> attribute. |
Sandbox (sandbox ) |
Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page’s actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. See the Sandbox values list that follows for the values the sandbox directive accepts. |
Navigation directives
Navigation directives govern to which location a user can navigate to or submit a form to, for example.
Option | Description |
---|---|
Form action (form-action ) |
restricts the URLs which can be used as the target of a form submissions from a given context. |
Frame ancestors (frame-ancestors ) |
specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . Accepts a <source> attribute. |
Other directives
Option | Description |
---|---|
Block all mixed content (block-all-mixed-content ) |
Prevents loading any assets using HTTP when the page is loaded using HTTPS. |
Upgrade insecure requests (upgrade-insecure-requests ) |
Instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. |
Source and sandbox values
Source
The <source>
attributes you can choose for certain directives:
Option | Description |
---|---|
self |
Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute. |
unsafe-eval |
Allows the use of eval() and similar methods for creating code from strings. |
unsafe-hashes |
Allows to enable specific inline event handlers. If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method compared to using the unsafe-inline expression. |
unsafe-inline |
Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. |
none |
Refers to the empty set; that is, no URLs match. |
strict-dynamic |
Specifies that the trust explicitly given to a script present in the markup by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. See script-src for an example. |
report-sample |
Requires a sample of the violating code to be included in the violation report. |
<host-source> |
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site’s address may include an optional leading wildcard (the asterisk character, '*' ), and you may use a wildcard (again, '*' ) as the port number, indicating that all legal ports are valid for the source.This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox , block-all-mixed-content or upgrade-insecure-requests directives.Examples:
|
<scheme-source> |
A schema such as ‘http:’ or ‘https:’. The colon is required, single quotes shouldn’t be used. You can also specify data schemas (not recommended). This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox , block-all-mixed-content or upgrade-insecure-requests directives.
|
<hash-algorithm>-<base64-value> |
A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don’t include the <script> or <style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace.See unsafe inline script for an example. In CSP 2.0 this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox , block-all-mixed-content , upgrade-insecure-requests or frame-ancestors directives. |
add all current application aliases |
This will add all of the alias URLs you’ve already specified in your application settings. You can also exclude specific alias URls. Click the trashcan icon next to each one you wish to exclude. |
dynamically add all aliases |
This will dynamically add any existing and any future aliases you’ve specified for your application in the application’s settings. |
Sandbox values
The sandbox
directive accepts the following values:
Option | Description |
---|---|
allow-downloads-without-user-activation |
Allows for downloads to occur without a gesture from the user. |
allow-forms |
Allows the page to submit forms. If this keyword is not used, this operation is not allowed. |
allow-modals |
Allows the page to open modal windows. |
allow-orientation-lock |
Allows the page to disable the ability to lock the screen orientation. |
allow-pointer-lock |
Allows the page to use the Pointer Lock API. |
allow-popups |
Allows popups (like from window.open , target="_blank" , showModalDialog ). If this keyword is not used, that functionality will silently fail. |
allow-popups-to-escape-sandbox |
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page. |
allow-presentation |
Allows embedders to have control over whether an iframe can start a presentation session. |
allow-same-origin |
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin. |
allow-scripts |
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed. |
allow-storage-access-by-user-activation |
Lets the resource request access to the parent’s storage capabilities with the Storage Access API. |
allow-top-navigation |
Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed. |
allow-top-navigation-by-user-activation |
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture. |
Further reading
- How to Configure the Content Security Policy Web Control
- Content Security Policy (Firefox MDN web docs)
Feedback
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.