Title
Content-Security-Policy Header ⟶ CSP Reference & Examples
Go Home
Description
Content Security Policy Header Reference Guide and Examples
Address
Phone Number
+1 609-831-2326 (US) | Message me
Site Icon
Content-Security-Policy Header ⟶ CSP Reference & Examples
Page Views
0
Share
Update Time
2022-05-08 15:04:59

"I love Content-Security-Policy Header ⟶ CSP Reference & Examples"

www.content-security-policy.com VS www.gqak.com

2022-05-08 15:04:59

CSP Reference FAQ Browser Test Examples Content Security Policy (CSP) Quick Reference Guide Content Security Policy Reference The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load. Tweet Edit on GitHub What is Content-Security-Policy? Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads. Although it is primarily used as a HTTP response header, you can also apply it via a meta tag. The term Content Security Policy is often abbreviated as CSP. What types of attacks does Content-Security-Policy help mitigate? CSP was first designed to reduce the attack surface of Cross Site Scripting (XSS) attacks, later versions of the spec also protect against other forms of attack such as Click Jacking. CSP Browser Support Content Security Policy is supported by all the major modern browsers, and has been for many years. It is not supported in Internet Explorer. Chrome Content-Security-Policy CSP Level 3 - Chrome 59+ Partial Support Content-Security-Policy CSP Level 2 - Chrome 40+ Full Support Since January 2015 Content-Security-Policy CSP 1.0 - Chrome 25+ X-Webkit-CSP Deprecated - Chrome 14-24 Firefox Content-Security-Policy CSP Level 3 - Firefox 58+ Partial Support Content-Security-Policy CSP Level 2 - Firefox 31+ Partial Support since July 2014 Content-Security-Policy CSP 1.0 - Firefox 23+ Full Support X-Content-Security-Policy Deprecated - Firefox 4-22 Safari Content-Security-Policy CSP Level 3 - Safari 15.4+ Partial Support Content-Security-Policy CSP Level 2 - Safari 10+ Content-Security-Policy CSP 1.0 - Safari 7+ X-Webkit-CSP Deprecated - Safari 6 Edge Content-Security-Policy CSP Level 3 - Edge 79+ Partial Support Content-Security-Policy CSP Level 2 - Edge 15+ Partial, 76+ Full Content-Security-Policy CSP 1.0 - Edge 12+ Internet Explorer X-Content-Security-Policy Deprecated - IE 10-11 support sandbox only Try our CSP Browser Test to test your browser. Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers. CSP Directive Reference The Content-Security-Policy header value is made up of one or more directives (defined below), multiple directives are separated with a semicolon ; This documentation is provided based on the Content Security Policy Level 2 W3C Recommendation, and the CSP Level 3 W3C Working Draft default-src The default-src directive defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media. Not all directives fallback to default-src. See the Source List Reference for possible values. Example default-src Policy default-src 'self' cdn.example.com; CSP Level 1 25+ 23+ 7+ 12+ script-src Defines valid sources of JavaScript. Example script-src Policy script-src 'self' js.example.com; CSP Level 1 25+ 23+ 7+ 12+ style-src Defines valid sources of stylesheets or CSS. Example style-src Policy style-src 'self' css.example.com; CSP Level 1 25+ 23+ 7+ 12+ img-src Defines valid sources of images. Example img-src Policy img-src 'self' img.example.com; CSP Level 1 25+ 23+ 7+ 12+ connect-src Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), or EventSource. If not allowed the browser emulates a 400 HTTP status code. Example connect-src Policy connect-src 'self'; CSP Level 1 25+ 23+ 7+ 12+ font-src Defines valid sources of font resources (loaded via @font-face). Example font-src policy font-src font.example.com; CSP Level 1 25+ 23+ 7+ 12+ object-src Defines valid sources of plugins, eg , or . Example object-src Policy object-src 'self'; CSP Level 1 25+ 23+ 7+ 12+ media-src Defines valid sources of audio and video, eg HTML5 , elements. Example media-src Policy media-src media.example.com; CSP Level 1 25+ 23+ 7+ 12+ frame-src Defines valid sources for loading frames. In CSP Level 2 frame-src was deprecated in favor of the child-src directive. CSP Level 3, has undeprecated frame-src and it will continue to defer to child-src if not present. Exapmle frame-src Policy frame-src 'self'; CSP Level 1 sandbox Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts allow-popups, allow-modals, allow-orientation-lock, allow-pointer-lock, allow-presentation, allow-popups-to-escape-sandbox, and allow-top-navigation Example sandbox Policy sandbox allow-forms allow-scripts; CSP Level 1 25+ 50+ 7+ 12+ report-uri Instructs the browser to POST a reports of policy failures to this URI. You can also use Content-Security-Policy-Report-Only as the HTTP header name to instruct the browser to only send reports (does not block anything). This directive is deprecated in CSP Level 3 in favor of the report-to directive. Example report-uri report-uri /some-report-uri; CSP Level 1 25+ 23+ 7+ 12+ child-src Defines valid sources for web workers and nested browsing contexts loaded using elements such as and Example child-src Policy child-src 'self' CSP Level 2 40+ 45+ 15+ form-action Defines valid sources that can be used as an HTML action. Example form-action Policy form-action 'self'; CSP Level 2 40+ 36+ 15+ frame-ancestors Defines valid sources for embedding the resource using . Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY Example frame-ancestors Policy frame-ancestors 'none'; CSP Level 2 39+ 33+ 15+ plugin-types Defines valid MIME types for plugins invoked via and . To load an you must specify application/x-java-applet. Example plugin-types Policy plugin-types application/pdf; CSP Level 2 40+ 15+ base-uri Defines a set of allowed URLs which can be used in the src attribute of a HTML base tag. Example base-uri Policy base-uri 'self'; CSP Level 2 40+ 15+ report-to Defines a reporting group name defined by a Report-To HTTP response header. See the Reporting API for more info. Example report-to Directive report-to groupName; CSP Level 3 70+ worker-src Restricts the URLs which may be loaded as a Worker, SharedWorker or ServiceWorker. Example worker-src Policy worker-src 'none'; CSP Level 3 59+ 58+ manifest-src Restricts the URLs that application manifests can be loaded. Example manifest-src Policy manifest-src 'none'; CSP Level 3 Yes 40+ prefetch-src Defines valid sources for request prefetch and prerendering, for example via the link tag with rel="prefetch" or rel="prerender": Example prefetch-src Policy prefetch-src 'none' CSP Level 3 navigate-to Restricts the URLs that the document may navigate to by any means. For example when a link is clicked, a form is submitted, or window.location is invoked. If form-action is present then this directive is ignored for form submissions. Implementation Status Example navigate-to Policy navigate-to example.com CSP Level 3 Source List Reference All of the directives that end with -src support similar values known as a source list. Multiple source list values can be space separated with the exception of 'none' which should be the only value. Source Value Example Description * img-src * Wildcard, allows any URL except data: blob: filesystem: schemes. 'none' object-src 'none' Prevents loading resources from any source. 'self' script-src 'self' Allows loading resources from the same origin (same scheme, host and port). data: img-src 'self' data: Allows loading resources via the data scheme (eg Base64 encoded images). domain.example.com img-src domain.example.com Allows loading resources from the specified domain name. *.example.com img-src *.example.com Allows loading resources from any subdomain under example.com. https://cdn.com img-src https://cdn.com Allows loading resources only over HTTPS matching the given domain. https: img-src https: Allows loading resources only over HTTPS on any domain. 'unsafe-inline' script-src 'unsafe-inline' Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIs 'unsafe-eval' script-src 'unsafe-eval' Allows unsafe dynamic code evaluation such as JavaScript eval() 'sha256-' script-src 'sha256-xyz...' Allows an inline script or CSS to execute if its hash matches the specified hash in the header. Currently supports SHA256, SHA384 or SHA512. CSP Level 2 'nonce-' script-src 'nonce-rAnd0m' Allows an inline script or CSS to execute if the script (eg: ) tag contains a nonce attribute matching the nonce specifed in the CSP header. The nonce should be a secure random string, and should not be reused. CSP Level 2 'strict-dynamic' script-src 'strict-dynamic' Enables an allowed script to load additional scripts via non-"parser-inserted" script elements (for example document.createElement('script'); is allowed). CSP Level 3 'unsafe-hashes' script-src 'unsafe-hashes' 'sha256-abc...' Allows you to enable scripts in event handlers (eg onclick). Does not apply to javascript: or inline CSP Level 3 Content-Security-Policy Examples Here a few common scenarios for content security policies: Allow everything but only from the same origin default-src 'self'; Only Allow Scripts from the same origin script-src 'self'; Allow Google Analytics, Google AJAX CDN and Same Origin script-src 'self' www.google-analytics.com ajax.googleapis.com; Starter Policy This policy allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites. default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self' Content-Security-Policy Error Messages In Chrome when a Content Security Policy Script Violation happens you get a message like this one in the Chrome Developer Tools: Refused to load the script 'script-uri' because it violates the following Content Security Policy directive: "your CSP directive". In Firefox you might see messages like this in the Web Developer Tools: Content Security Policy: A violation occurred for a report-only CSP policy ("An attempt to execute inline scripts has been blocked"). The behavior was allowed, and a CSP report was sent. In addition to a console message, a securitypolicyviolation event is fired on the window. See https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events. Server Side Configuration Any server side programming environment should allow you to send back a custom HTTP response header. You can also use your web server to send back the header. Apache Content-Security-Policy Header Add the following to your httpd.conf in your VirtualHost or in an .htaccess file: Header set Content-Security-Policy "default-src 'self';" Nginx Content-Security-Policy Header In your server {} block add: add_header Content-Security-Policy "default-src 'self';"; You can also append always to the end to ensure that nginx sends the header regardless of response code. IIS Content-Security-Policy Header You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config: CSP Developer Field Guide Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly. Grab a Copy Struggling to stay on top of security advisories? Advisory Week is a weekly roundup of all the security advisories published by the major software vendors. © Foundeo Inc. 2012-2021 - Contact Us