Content Security Policy Directives

A list of the available content-security-policy directives for Web Controls

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

Webscale’s Set Content Security Policy action for Web Controls allows you to set the following directives. Click the name of each directive for more detailed information.

Fetch directives

Fetch directives control locations from which certain resource types may be loaded. These directives also require that you specify a <source> attribute.

Option Description
Child source (child-src) Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
Connect source (connect-src) Restricts the URLs which can be loaded using script interfaces.
Default source (default-src) Serves as a fallback for the other fetch directives.
Font source (font-src) Specifies valid sources for fonts loaded using @font-face.
Frame source (frame-src) Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
Image source (img-src) Specifies valid sources of images and favicons.
Media source (media-src) Specifies valid sources for loading media using the <audio>, <video> and <track> elements.
Object source (object-src) Specifies valid sources for the <object>, <embed>, and <applet> elements.
Script source (script-src) Specifies valid sources for JavaScript.
Style source (style-src) Specifies valid sources for CSS stylesheets.

Document directives

Document directives govern the properties of a document or web worker environment to which a policy applies.

Option Description
Base URI (base-uri) Restricts the URLs which can be used in a document’s <base> element. Accepts a <source> attribute.
Sandbox (sandbox) Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page’s actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. See the Sandbox values list that follows for the values the sandbox directive accepts.

Navigation directives govern to which location a user can navigate to or submit a form to, for example.

Option Description
Form action (form-action) restricts the URLs which can be used as the target of a form submissions from a given context.
Frame ancestors (frame-ancestors) specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. Accepts a <source> attribute.

Other directives

Option Description
Block all mixed content (block-all-mixed-content) Prevents loading any assets using HTTP when the page is loaded using HTTPS.
Upgrade insecure requests (upgrade-insecure-requests) Instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

Source and sandbox values

Source

The <source> attributes you can choose for certain directives:

Option Description
self Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.
unsafe-eval Allows the use of eval() and similar methods for creating code from strings.
unsafe-hashes Allows to enable specific inline event handlers. If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method compared to using the unsafe-inline expression.
unsafe-inline Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements.
none Refers to the empty set; that is, no URLs match.
strict-dynamic Specifies that the trust explicitly given to a script present in the markup by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. See script-src for an example.
report-sample Requires a sample of the violating code to be included in the violation report.
<host-source> Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site’s address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox, block-all-mixed-content or upgrade-insecure-requests directives.
Examples:
  • http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
  • mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
  • https://store.example.com: Matches all attempts to access store.example.com using https:.
<scheme-source> A schema such as ‘http:’ or ‘https:’. The colon is required, single quotes shouldn’t be used. You can also specify data schemas (not recommended).
This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox, block-all-mixed-content or upgrade-insecure-requests directives.
  • data: Allows data: URIs to be used as a content source. Note: This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
  • mediastream: Allows mediastream: URIs to be used as a content source.
  • blob: Allows blob: URIs to be used as a content source.
  • filesystem: Allows filesystem: URIs to be used as a content source.
<hash-algorithm>-<base64-value> A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don’t include the <script> or <style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace.
See unsafe inline script for an example. In CSP 2.0 this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.
This must be manually typed in the Add Connect source combo box after selecting a directive, and is not available for sandbox, block-all-mixed-content, upgrade-insecure-requests or frame-ancestors directives.
add all current application aliases This will add all of the alias URLs you’ve already specified in your application settings. You can also exclude specific alias URls. Click the trashcan icon next to each one you wish to exclude.
dynamically add all aliases This will dynamically add any existing and any future aliases you’ve specified for your application in the application’s settings.

Sandbox values

The sandbox directive accepts the following values:

Option Description
allow-downloads-without-user-activation Allows for downloads to occur without a gesture from the user.
allow-forms Allows the page to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals Allows the page to open modal windows.
allow-orientation-lock Allows the page to disable the ability to lock the screen orientation.
allow-pointer-lock Allows the page to use the Pointer Lock API.
allow-popups Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activation Lets the resource request access to the parent’s storage capabilities with the Storage Access API.
allow-top-navigation Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
allow-top-navigation-by-user-activation Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

Further reading


Last modified May 13, 2020