Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1104477 of Content-Security-Policy

  • Revision slug: Web/HTTP/Headers/Content-Security-Policy
  • Revision title: Content-Security-Policy
  • Revision id: 1104477
  • Created:
  • Creator: teoli
  • Is current revision? No
  • Comment
Tags: 

Revision Content

{{HTTPSidebar}}{{SeeCompatTable}}

DRAFT

The Content-Security-Policy header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifiying server origins and script endpoints. This helps guard against cross-site scripting attacks.

To set a content security policy, add one or more policy directives to either of the response headers listed below. Alternatively, most policy directives can be used in a <meta> tag with the http-equiv attribute. If a policy directive is not defined, user agents will allow resources from anywhere.  The default-src directive overrides this behavior for a select number of other directives. See the policy directives page for more information. 

The HTTP response headers

This section lists the HTTP response headers that servers send back to specify allowed origins for page contents as defined by the Content Security Policy specification. 

CH-CSP

Indicates that a request is subject to a policy.

Content-Security-Policy

Specifies a page's content origins by resource type for enforcement by the user agent. This header may be used inside a <meta> tag.

Content-Security-Policy-Report-Only

Specifies a page's content origins by resource type for monitoring by the server. This header may not be used inside a <meta> tag.

Browser compatibility

{{ CompatibilityTable() }}

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic support {{CompatChrome(41.0)}} {{ CompatVersionUnknown() }} {{ CompatUnknown() }} {{ CompatVersionUnknown() }} {{ CompatUnknown() }}
Feature Android Chrome for Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
Basic support {{CompatNo}} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatUnknown() }}

See Also

Revision Source

 
<p>{{HTTPSidebar}}{{SeeCompatTable}}</p>

<div class="overheadIndicator draft draftHeader"><strong>DRAFT</strong></div>

<p>The Content-Security-Policy header fields allows web site administrators to&nbsp;control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifiying server origins and script endpoints. This helps guard against cross-site scripting attacks.</p>

<p>To set a content security policy, add one or more&nbsp;<a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives">policy directives</a>&nbsp;to either of the response headers listed below. Alternatively, most policy directives can be used in a <code>&lt;meta&gt;</code> tag with the <code>http-equiv</code> attribute. <span style="line-height:1.5">If a policy directive is not defined, user agents will allow resources from anywhere. &nbsp;The&nbsp;</span><code style="font-style: normal; line-height: 1.5;">default-src</code><span style="line-height:1.5">&nbsp;directive overrides this behavior for a select number of other directives. See the policy directives page for more information.&nbsp;</span></p>

<h2 id="The_HTTP_response_headers"><span style="font-size:2.14285714285714rem">The HTTP response headers</span></h2>

<p>This section lists the HTTP response headers that servers send back to specify allowed origins for page contents as defined by the Content Security Policy specification.&nbsp;</p>

<h3 id="CH-CSP">CH-CSP</h3>

<p>Indicates that a request is subject to a policy.</p>

<h3 id="Content-Security-Policy">Content-Security-Policy</h3>

<p>Specifies a page's content origins by resource type for enforcement by the user agent. This header may be used inside a <code>&lt;meta&gt;</code> tag.</p>

<h3 id="Content-Security-Policy-Report-Only">Content-Security-Policy-Report-Only</h3>

<p>Specifies a page's content origins by resource type for monitoring by the server. This header may&nbsp;<em>not</em> be used inside a <code>&lt;meta&gt;</code> tag.</p>

<h2 id="Browser_compatibility"><span style="font-size:2.14285714285714rem">Browser compatibility</span></h2>

<p>{{ CompatibilityTable() }}</p>

<div id="compat-desktop">
<table class="compat-table">
 <tbody>
  <tr>
   <th style="line-height: 16px;">Feature</th>
   <th style="line-height: 16px;">Chrome</th>
   <th style="line-height: 16px;">Firefox (Gecko)</th>
   <th style="line-height: 16px;">Internet Explorer</th>
   <th style="line-height: 16px;">Opera</th>
   <th style="line-height: 16px;">Safari</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>{{CompatChrome(41.0)}}</td>
   <td>{{ CompatVersionUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatVersionUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
  </tr>
 </tbody>
</table>
</div>

<div id="compat-mobile">
<table class="compat-table">
 <tbody>
  <tr>
   <th style="line-height: 16px;">Feature</th>
   <th style="line-height: 16px;">Android</th>
   <th style="line-height: 16px;">Chrome for Android</th>
   <th style="line-height: 16px;">Firefox Mobile (Gecko)</th>
   <th style="line-height: 16px;">IE Mobile</th>
   <th style="line-height: 16px;">Opera Mobile</th>
   <th style="line-height: 16px;">Safari Mobile</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>{{CompatNo}}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
  </tr>
 </tbody>
</table>
</div>

<h2 id="See_Also">See Also</h2>

<ul>
 <li><a href="/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy">Using Content Security Policy</a></li>
 <li><a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives">CSP Policy Directives</a></li>
</ul>
Revert to this revision