Content Security Policy

https://nl.linkedin.com/in/hugogroeneveld

Hugo Groeneveld

Public Profilehttps://nl.linkedin.com/in/hugogroeneveldPublic Profile

https://nl.linkedin.com/in/hugogroeneveldPublic Profilehttps://nl.linkedin.com/in/hugogroeneveld

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by the modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Header: Content-Security-Policybase-uri restricts the URLs that can appear in a page’s <base> element.child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive.connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource).font-src specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-src https://themes.googleusercontent.com

Header: Content-Security-Policyform-action lists valid endpoints for submission from <form> tags.frame-ancestors specifies the sources that can embed the current page. This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. This directive can’t be used in <meta> tags and applies only to non-HTML resources.frame-src deprecated. Use child-src instead.img-src defines the origins from which images can be loaded.media-src restricts the origins allowed to deliver video and audio.object-src allows control over Flash and other plugins.

Header: Content-Security-Policyplugin-types limits the kinds of plugins a page may invoke.report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.style-src is script-src’s counterpart for stylesheets.upgrade-insecure-requests Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for web sites with large numbers of old URLs that need to be rewritten.

Header: Content-Security-Policydefault-src

Header: Content-Security-Policydefault-src

Header: Content-Security-Policydefault-src

report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.

report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.

Content-Security-Policy: script-src 'self' 'nonce-$RANDOM';

<script nonce="$RANDOM">...</script>

Content-Security-Policy: script-src 'self' 'nonce-$RANDOM';

<script nonce="$RANDOM">...</script>