Content-Security-Policy (CSP) header - HTTP | MDN (original) (raw)
Baseline
Widely available *
The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks.
See the Content Security Policy (CSP) guide for details about how a CSP is delivered to the browser, what it looks like, along with use cases and deployment strategies.
| Header type | Response header |
|---|---|
| Forbidden request header | no |
Syntax
Content-Security-Policy: <policy-directive>; <policy-directive>
where <policy-directive> consists of:<directive> <value> with no internal punctuation.
Directives
Fetch directives
Fetch directives control the locations from which certain resource types may be loaded.
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as and .
Fallback for frame-src and worker-src.
Restricts the URLs which can be loaded using script interfaces.
Serves as a fallback for the other fetch directives.
Fallback for all other fetch directives.
fenced-frame-src Experimental
Specifies valid sources for nested browsing contexts loaded into elements.
Specifies valid sources for fonts loaded using @font-face.
Specifies valid sources for nested browsing contexts loaded into elements such as and .
Specifies valid sources of images and favicons.
Specifies valid sources of application manifest files.
Specifies valid sources for loading media using the , and elements.
Specifies valid sources for the and elements.
prefetch-src Deprecated Non-standard
Specifies valid sources to be prefetched or prerendered.
Specifies valid sources for JavaScript and WebAssembly resources.
Fallback for script-src-elem and script-src-attr.