{{HTTPSidebar}}{{SeeCompatTable}}
The Content-Security-Policy header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifiying server origins and script endpoints. This helps guard against cross-site scripting attacks.
To set a content security policy, add one or more policy directives to either of the response headers listed below. Alternatively, most policy directives can be used in a <meta>
tag with the http-equiv
attribute. If a policy directive is not defined, user agents will allow resources from anywhere. The default-src
directive overrides this behavior for a select number of other directives. See the policy directives page for more information.
The HTTP response headers
This section lists the HTTP response headers that servers send back to specify allowed origins for page contents as defined by the Content Security Policy specification.
CH-CSP
Indicates that a request is subject to a policy.
Content-Security-Policy
Specifies a page's content origins by resource type for enforcement by the user agent. This header may be used inside a <meta>
tag.
Content-Security-Policy-Report-Only
Specifies a page's content origins by resource type for monitoring by the server. This header may not be used inside a <meta>
tag.
Browser compatibility
{{ CompatibilityTable() }}
Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari |
---|---|---|---|---|---|
Basic support | {{CompatChrome(41.0)}} | {{ CompatVersionUnknown() }} | {{ CompatUnknown() }} | {{ CompatVersionUnknown() }} | {{ CompatUnknown() }} |
Feature | Android | Chrome for Android | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|
Basic support | {{CompatNo}} | {{ CompatUnknown() }} | {{ CompatUnknown() }} | {{ CompatUnknown() }} | {{ CompatUnknown() }} | {{ CompatUnknown() }} |