![]() ![]() ![]() Wildcard, allows any URL except data: blob: filesystem: schemes. Multiple source list values can be space separated with the exception of 'none' which should be the only value. Example block-all-mixed-content Policy block-all-mixed-content Not technically part of the CSP spec, may be removed in the future.Īll of the directives that end with -src support similar values known as a source list. This documentation is provided based on the Content Security Policy Level 2 W3C Recommendation, and the CSP Level 3 W3C Working Draft default-srcīlocks requests to non secure http urls. The Content-Security-Policy header value is made up of one or more directives (defined below), multiple directives are separated with a semicolon The term Content Security Policy is often abbreviated as CSP.ĬSP was first designed to reduce the attack surface of Cross Site Scripting (XSS) attacks, later versions of the spec also protect against other forms of attack such as Click Jacking. The Content-Security-Policy header allows you to restrict which resources (such as JavaScript, CSS, Images, etc.) can be loaded, and the URLs that they can be loaded from.Īlthough it is primarily used as a HTTP response header, you can also apply it via a meta tag. What is Content-Security-Policy?Ĭontent-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |