Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1107849 of CSP Policy Directives

  • Revision slug: Web/Security/CSP/CSP_policy_directives
  • Revision title: CSP Policy Directives
  • Revision id: 1107849
  • Created:
  • Creator: mikispag
  • Is current revision? No
  • Comment
Tags: 

Revision Content

There are several policy areas that web site administrators can define using Content Security Policy (CSP). Any combination of these can be used to suit your web site's needs; you don't need to specify them all.

Content sources

Most policy directives require one or more content sources. A content source is a string indicating a possible source from which content might be loaded.

Source lists

A source list is a string specifying one or more Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source. The hosts are space-delimited.

Valid host expressions include:

https://*.example.com
Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
mail.example .com:443
Matches all attempts to access port 443 on mail.example.com.
https://store.example.com
Matches all attempts to access store.example.com using https:.

If a port number isn't specified, the browser will use the default port number for the specified scheme. If no scheme is specified, the same scheme as the one used to access the protected document is assumed.

Keywords

There are also some keywords available to describe special classes of content sources. These are:

'none'
Refers to the empty set; that is, no URLs match. The single quotes are required.
'self'
Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.
'unsafe-inline'
Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, javascript: URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. You must include the single quotes.
'unsafe-eval'
Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.
Note: Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your web site up to cross-site scripting vulnerabilities.

For example, you can specify that content may be loaded from the document's origin as well as trustedscripts.example.com as follows:

Content-Security-Policy: default-src 'self' trustedscripts.example.com

Data

Note: data: URIs are unsafe and can open your web site up to cross-site scripting vulnerabilities if allowed for script sources.
data:
Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:
Allows mediastream: URIs to be used as a content source.
blob:
Allows blob: URIs to be used as a content source.
filesystem:
Allows filesystem: URIs to be used as a content source.
Content-Security-Policy: default-src 'self'; img-src 'self' data: blob: filesystem:; media-src mediastream:

Supported policy directives

The following policy directives are available to control the security policy for the various policy areas.

base-uri

The base-uri directive defines the URIs that a user agent may use as the document base URL. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the base element.

base-uri source-list

child-src

The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. This directive is preferred over the frame-src directive, which is deprecated. For workers, non-compliant requests are treated as fatal network errors by the user agent.

Note: If this directive is absent, the user agent will look for the default-src directive.
​child-src source-list

connect-src

The connect-src directive defines valid sources for Fetch, XMLHttpRequest, WebSocket, and EventSource connections.

Note: If this directive is absent, the user agent will look for the default-src directive.
Note: Prior to Firefox 23, xhr-src was used in place of the connect-src directive and only restricted the use of XMLHttpRequest.
connect-src source-list

default-src

The default-src directive defines the security policy for types of content which are not expressly called out by more specific directives. This directive covers the following directives:

  • child-src
  • connect-src
  • font-src
  • img-src
  • manifest-src
  • media-src
  • object-src
  • script-src
  • style-src
default-src source-list

font-src

The font-src directive specifies valid sources for fonts loaded using {{cssxref("@font-face")}}.

Note: If this directive is absent the user agent will look for the default-src directive.
font-src source-list

form-action

The form-action{{experimental_inline}} directive specifies valid endpoints for {{HTMLElement("form")}} submissions.

form-action source-list

frame-ancestors

The frame-ancestors{{experimental_inline}} directive specifies valid parents that may embed a page using the {{HTMLElement("frame")}} and {{HTMLElement("iframe")}} elements. This directive is not supported in the <meta> element or by the Content-Security-Policy-Report-Only header field.

frame-ancestors source-list

frame-src {{obsolete_inline}}

The frame-src directive specifies valid sources for web workers and nested browsing contexts loading using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.

Note: This directive is deprecated. Use child-src instead, unless you are supporting browsers that use CSP 1.0 only (e.g. Safari 9).
frame-src source-list

img-src

The img-src directive specifies valid sources of images and favicons.

Note: If this directive is absent, the user agent will look for the default-src directive.
img-src source-list

manifest-src

The manifest-src directive specifies which manifest can be applied to the resource.

Note: If this directive is absent, the user agent will look for the default-src directive.
manifest-src source-list

media-src

The media-src directive specifies valid sources for loading media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.

Note: If this directive is absent, the user agent will look for the default-src directive.
media-src source-list

object-src

The object-src directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.

Note: If this directive is absent, the user agent will look for the default-src directive.
object-src source-list

plugin-types

The plugin-types directive specifies the valid plugins that the user agent may invoke.

plugin-types type-list

referrer

The referrer directive specifies information in the referer (sic) header for links away from a page. Valid values are no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, and unsafe-url.

​referrer value

reflected-xss

The reflected-xss directive instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks. Valid values are allow, block, and filter. This directive is not supported in the <meta> element.

Note: This directive is ignored if it is contained in a meta element.
reflected-xss value

report-uri

The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP POST request to the specified URI. See Using CSP violation reports for details. This directive is not supported in the <meta> element.

report-uri uri
Note: Firefox currently requires using the same URL scheme and port for the report-uri as the content being protected by Content Security Policy.

sandbox

The sandbox directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

sandbox value

script-src

The script-src directive specifies valid sources for JavaScript. When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively. In Chrome 49 and later, 'script-src http' will match both HTTP and HTTPS.

Note: If this directive is absent the user agent will look for the default-src directive.
script-src source-list

strict-dynamic

The strict-dynamic directive specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propogated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/ would allow loading of a root script with <script nonce="R4nd0m" src="https://example.com/loader.js">  and propogate that trust to any script loaded by loader.js, but disallow loading scripts from https://whitelisted.com/.

script-src 'strict-dynamic' 'nonce-someNonce'

Or

script-src 'strict-dynamic' 'sha256-hash'

It is possible to deploy strict-dynamic in a backwards compatible way, without requiring user-agent sniffing.
The policy:

script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'

will act like'unsafe-inline' https: in browsers that support CSP1, https: 'nonce-abcdefg' in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic' in browsers that support CSP3.

style-src

The style-src directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the {{HTMLElement("style")}} element and HTML style attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the style-src or the default-src directive is included, inline use of the {{HTMLElement("style")}} element and HTML style attributes are disabled unless you specify 'unsafe-inline'.

Note: If this directive is absent, the user agent will look for the default-src directive.
style-src source-list

upgrade-insecure-requests

The upgrade-insecure-requests directive instructs user agents to treat all of a site's unsecure URL's (those serverd over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of unsecure legacy URL's that need to be rewritten.

Specifications

Specification Status Comment
{{specName("CSP 3.0")}} {{Spec2('CSP 3.0')}} Adds strict-dynamic.
{{specName("Referrer Policy")}} {{Spec2("Referrer Policy")}} Adds values for the referrer policy.
{{specName("Upgrade Insecure Requests")}} {{Spec2('Upgrade Insecure Requests')}} Adds upgrade-insecure-requests.
{{specName("CSP 1.1")}} {{Spec2('CSP 1.1')}} Adds base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss, and report-uri. Deprecates frame-src.
{{specName("CSP 1.0")}} {{Spec2('CSP 1.0')}} Defines connect-src, default-src, font-src, frame-src, img-src, media-src, object-src, report-uri, sandbox, script-src, and style-src.

Browser compatibility

{{CompatibilityTable}}

Feature Chrome Firefox (Gecko) Internet Explorer Edge Opera Safari
Basic support {{CompatChrome(14.0)}}[4]
{{CompatChrome(25.0)}}
{{CompatChrome(45.0)}}[2]		 {{CompatGeckoDesktop("2.0")}}[5]
{{CompatGeckoDesktop("23.0")}}		 {{CompatNo}} 12 15 6[4]
7
base-uri {{CompatChrome(40.0)}} {{CompatGeckoDesktop("35.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
child-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("45.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
connect-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}}[6] {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
default-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
font-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
form-action {{CompatChrome(40.0)}} {{CompatGeckoDesktop("36.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
frame-ancestors {{CompatChrome(40.0)}} {{CompatGeckoDesktop("33.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
frame-src {{obsolete_inline}} {{CompatVersionUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
img-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
manifest-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("41.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
media-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
object-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
plugin-types {{CompatChrome(40.0)}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
referrer {{CompatVersionUnknown}}[3] {{CompatGeckoDesktop("37.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
reflected-xss {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
report-uri {{CompatChrome(40.0)}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
sandbox {{CompatVersionUnknown}} {{CompatGeckoDesktop("50.0")}} 10[5] {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
script-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
strict-dynamic {{CompatChrome(52.0)}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} 39 {{CompatUnknown}}
style-src {{CompatVersionUnknown}} {{CompatGeckoDesktop("23.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
upgrade-insecure-requests {{CompatChrome(43.0)}} {{CompatGeckoDesktop("42.0")}} {{CompatNo}} {{CompatNo}} 30 {{CompatNo}}
Feature Android Browser Android Webview Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile Chrome for Android
Basic support {{CompatVersionUnknown}}[1] {{CompatVersionUnknown}}
{{CompatChrome(45.0)}}[2]		 {{CompatGeckoMobile("2.0")}} {{CompatUnknown}} {{CompatUnknown}} 7.1 {{CompatVersionUnknown}}
{{CompatChrome(45.0)}}[2]
base-uri {{CompatNo}} {{CompatChrome(40.0)}} {{CompatGeckoMobile("35.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
child-src {{CompatNo}} {{CompatChrome(40.0)}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
connect-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatGeckoMobile("23.0")}}[6] {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
default-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
font-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
form-action {{CompatNo}} {{CompatChrome(40.0)}} {{CompatGeckoMobile("36.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
frame-ancestors {{CompatNo}} {{CompatChrome(40.0)}} {{CompatGeckoMobile("33.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
frame-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
img-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
manifest-src {{CompatUnknown}} {{CompatUnknown}} {{CompatGeckoDesktop("41.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}}
media-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
object-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
plugin-types {{CompatNo}} {{CompatChrome(40.0)}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
referrer {{CompatUnknown}}[3] {{CompatVersionUnknown}} {{CompatGeckoMobile("37.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}[3]
reflected-xss {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
report-uri {{CompatNo}} {{CompatChrome(40.0)}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatChrome(40.0)}}
sandbox {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatGeckoMobile("50.0")}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
script-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
strict-dynamic {{CompatNo}} {{CompatChrome(52.0)}} {{CompatUnknown}} {{CompatUnknown}} 39 {{CompatUnknown}} {{CompatChrome(52.0)}}
style-src {{CompatUnknown}} {{CompatVersionUnknown}} {{CompatNo}} {{CompatUnknown}} {{CompatUnknown}} {{CompatUnknown}} {{CompatVersionUnknown}}
upgrade-insecure-requests {{CompatGeckoMobile(42)}} {{CompatChrome(43.0)}} {{CompatNo}} {{CompatNo}} {{CompatNo}} {{CompatNo}} {{CompatChrome(43.0)}}

[1] Deprecated since Android 4.0.

[2] Starting with version 45.0, Chrome excludes blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.

[3] Starting with Chrome 45, the referrer policy is constrained to the values defined in the Referrer Policy specification.

[4] Implemented as X-Webkit-CSP header.

[5] Implemented as X-Content-Security-Policy header.

[6] Prior to Firefox 50, the {{htmlattrxref("ping", "a")}} attribute of {{htmlelement("a")}} element wasn't abiding by it.

See also

Revision Source

 
<p>There are several policy areas that web site administrators can define using Content Security Policy (CSP). Any combination of these can be used to suit your web site's needs; you don't need to specify them all.</p>

<h2 id="Content_sources">Content sources</h2>

<p>Most policy directives require one or more content sources. A content source is a string indicating a possible source from which content might be loaded.</p>

<h3 id="Source_lists">Source lists</h3>

<p>A source list is a string specifying one or more Internet hosts by name or IP address, as well as an optional <a href="/en-US/docs/URIs_and_URLs">URL scheme</a> and/or port number. The site's address may include an optional leading wildcard (the asterisk character, <code>'*'</code>), and you may use a wildcard (again, <code>'*'</code>) as the port number, indicating that all legal ports are valid for the source. The hosts are space-delimited.</p>

<p>Valid host expressions include:</p>

<dl>
 <dt><span class="nowiki">https://*.example.com</span></dt>
 <dd>Matches all attempts to load from any subdomain of example.com using the <code>http:</code> URL scheme.</dd>
 <dt><span class="nowiki">mail.</span><span class="nowiki">example</span> <span class="nowiki">.com:443</span></dt>
 <dd>Matches all attempts to access port 443 on mail.example.com.</dd>
 <dt><span class="nowiki">https://store.</span><span class="nowiki">example</span><span class="nowiki">.com</span></dt>
 <dd>Matches all attempts to access store.example.com using <code>https:</code>.</dd>
</dl>

<p>If a port number isn't specified, the browser will use the default port number for the specified scheme. If no scheme is specified, the same scheme as the one used to access the protected document is assumed.</p>

<h3 id="Keywords">Keywords</h3>

<p>There are also some keywords available to describe special classes of content sources. These are:</p>

<dl>
 <dt><code>'none'</code></dt>
 <dd>Refers to the empty set; that is, no URLs match. The single quotes are required.</dd>
 <dt><code>'self'</code></dt>
 <dd>Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude <code>blob</code> and <code>filesystem</code> from source directives. Sites needing to allow these content types can specify them using the Data attribute.</dd>
 <dt><code>'unsafe-inline'</code></dt>
 <dd>Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, <code>javascript:</code> URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. You must include the single quotes.</dd>
 <dt><code>'unsafe-eval'</code></dt>
 <dd>Allows the use of <code>eval()</code> and similar methods for creating code from strings. You must include the single quotes.</dd>
</dl>

<div class="note"><strong>Note:</strong> Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your web site up to cross-site scripting vulnerabilities.</div>

<p>For example, you can specify that content may be loaded from the document's origin as well as trustedscripts.example.com as follows:</p>

<pre class="eval">
Content-Security-Policy: default-src 'self' trustedscripts.example.com
</pre>

<h3 id="Data">Data</h3>

<div class="note"><strong>Note:</strong> data: URIs are unsafe and can open your web site up to cross-site scripting vulnerabilities if allowed for script sources.</div>

<dl>
 <dt>data:</dt>
 <dd>Allows <a href="/en-US/docs/Web/HTTP/data_URIs"><code>data:</code> URIs</a> to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.</dd>
 <dt>mediastream:</dt>
 <dd>Allows <a href="/en-US/docs/Web/API/MediaStream_API"><code>mediastream:</code> URIs</a> to be used as a content source.</dd>
 <dt>blob:</dt>
 <dd>Allows <a href="/en-US/docs/Web/API/Blob"><code>blob:</code> URIs</a> to be used as a content source.</dd>
 <dt>filesystem:</dt>
 <dd>Allows <a href="/en-US/docs/Web/API/FileSystem"><code>filesystem:</code> URIs</a> to be used as a content source.</dd>
</dl>

<pre class="eval">
Content-Security-Policy: default-src 'self'; img-src 'self' data: blob: filesystem:; media-src mediastream:
</pre>

<h2 id="Supported_policy_directives">Supported policy directives</h2>

<p>The following policy directives are available to control the security policy for the various policy areas.</p>

<h3 id="base-uri"><code>base-uri</code></h3>

<p>The <code>base-uri</code><span> directive defines the URIs that a user agent may use as the document base URL. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <code><a href="/en-US/docs/Web/HTML/Element/base">base</a></code> element.</span></p>

<pre class="eval">
base-uri <em>source-list</em></pre>

<h3 id="child-src"><code>child-src</code></h3>

<p>The <code>child-src</code> directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <span>{{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. This directive is preferred over the <code>frame-src</code> directive, which is deprecated. For workers, non-compliant requests are treated as fatal network errors by the user agent.</span></p>

<div class="note"><strong>Note: </strong>If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<span>​child-src <em>source-list</em></span></pre>

<h3 id="connect-src"><code>connect-src</code></h3>

<p>The <code>connect-src</code> directive defines valid sources for <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>, <a href="/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIXMLHttpRequest"><code>XMLHttpRequest</code></a>, <a href="/en-US/docs/Web/API/WebSocket">WebSocket</a>, and <a href="/en-US/docs/Web/API/EventSource">EventSource</a> connections.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<div class="note"><strong>Note:</strong> Prior to Firefox 23, <code>xhr-src</code> was used in place of the <code>connect-src</code> directive and only restricted the use of <a href="/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIXMLHttpRequest"><code>XMLHttpRequest</code></a>.</div>

<pre class="eval">
<code>connect-src</code> <em><code>source-list</code></em></pre>

<h3 id="default-src"><code>default-src</code></h3>

<p>The <code>default-src</code> directive defines the security policy for types of content which are not expressly called out by more specific directives. This directive covers the following directives:</p>

<ul>
 <li><code>child-src</code></li>
 <li><code>connect-src</code></li>
 <li><code>font-src</code></li>
 <li><code>img-src</code></li>
 <li><code>manifest-src</code></li>
 <li><code>media-src</code></li>
 <li><code>object-src</code></li>
 <li><code>script-src</code></li>
 <li><code>style-src</code></li>
</ul>

<pre class="eval">
<code>default-src</code> <em><code>source-list</code></em></pre>

<h3 id="font-src"><code>font-src</code></h3>

<p>The <code>font-src</code> directive specifies valid sources for fonts loaded using {{cssxref("@font-face")}}.</p>

<div class="note"><strong>Note:</strong> If this directive is absent the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>font-src</code> <em><code>source-list</code></em></pre>

<h3 id="form-action"><code>form-action</code></h3>

<p>The <code>form-action</code>{{experimental_inline}} directive specifies valid endpoints for {{HTMLElement("form")}} submissions.</p>

<pre class="eval" id="source-src">
<code><code>form-action</code> <em><code>source-list</code></em></code></pre>

<h3 id="frame-ancestors"><code>frame-ancestors</code></h3>

<p>The <code>frame-ancestors</code>{{experimental_inline}} directive specifies valid parents that may embed a page using the {{HTMLElement("frame")}} and {{HTMLElement("iframe")}} elements. This directive is not supported in the <code>&lt;meta&gt;</code> element or by the <code>Content-Security-Policy-Report-Only</code> header field.</p>

<pre class="eval">
<code>frame-ancestors</code> <em><code>source-list</code></em></pre>

<h3 id="frame-src_obsolete_inline"><code>frame-src</code> {{obsolete_inline}}</h3>

<p>The <code>frame-src</code> directive specifies valid sources for web workers and nested browsing contexts loading using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.</p>

<div class="note">
<div><strong>Note: </strong>This directive is deprecated. Use <code>child-src</code> instead, unless you are supporting browsers that use CSP 1.0 only (e.g. Safari 9).</div>
</div>

<pre class="eval">
frame-src <em>source-list</em></pre>

<h3 id="img-src"><code>img-src</code></h3>

<p>The <code>img-src</code> directive specifies valid sources of images and favicons.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>img-src</code> <em><code>source-list</code></em></pre>

<h3 id="manifest-src"><code>manifest-src</code></h3>

<p>The <code><strong>manifest-src</strong></code> directive specifies which manifest can be applied to the resource.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>manifest-src</code> <em><code>source-list</code></em></pre>

<h3 id="media-src"><code>media-src</code></h3>

<p>The <code>media-src</code> directive specifies valid sources for loading media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>media-src</code> <em><code>source-list</code></em></pre>

<h3 id="object-src"><code>object-src</code></h3>

<p>The <code>object-src</code> directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>object-src</code> <em><code>source-list</code></em></pre>

<h3 id="plugin-types"><code>plugin-types</code></h3>

<p>The <code>plugin-types</code> directive specifies the valid plugins that the user agent may invoke.</p>

<pre class="eval">
plugin-types <em>type-list</em></pre>

<h3 id="referrer"><code>referrer</code></h3>

<p>The <code>referrer</code> directive specifies information in the referer (sic) header for links away from a page. Valid values are <code>no-referrer</code>, <code>no-referrer-when-downgrade</code>, <code>origin</code>, <code>origin-when-cross-origin</code>, and <code>unsafe-url</code>.</p>

<pre class="eval">
​referrer <em>value</em></pre>

<h3 id="reflected-xss"><code>reflected-xss</code></h3>

<p>The <code>reflected-xss</code> directive instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks. Valid values are <code>allow</code>, <code>block</code>, and <code>filter</code>. This directive is not supported in the <code>&lt;meta&gt;</code> element.</p>

<div class="note"><strong>Note: </strong>This directive is ignored if it is contained in a <code>meta</code> element.</div>

<pre class="eval">
reflected-xss <em>value</em></pre>

<h3 id="report-uri"><code>report-uri</code></h3>

<p>The <code>report-uri</code> directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP <code>POST</code> request to the specified URI. See <a href="/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports">Using CSP violation reports</a> for details. This directive is not supported in the <code>&lt;meta&gt;</code> element.</p>

<pre class="eval">
<code>report-uri</code> <em><code><a class="external" href="https://tools.ietf.org/html/rfc2396">uri</a></code></em></pre>

<div class="note"><strong>Note:</strong> Firefox currently requires using the same URL scheme and port for the <code>report-uri</code> as the content being protected by Content Security Policy.</div>

<h3 id="sandbox"><code>sandbox</code></h3>

<p>The <code>sandbox</code> directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. This directive is not supported in the <code>&lt;meta&gt;</code> element or by the <code>Content-Security-policy-Report-Only</code> header field.</p>

<pre class="eval">
sandbox <em>value</em></pre>

<h3 id="script-src"><code>script-src</code></h3>

<p>The <code>script-src</code> directive specifies valid sources for JavaScript. When either the <code>script-src</code> or the <code>default-src</code> directive is included, inline script and <code>eval()</code> are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively. In Chrome 49 and later, 'script-src http' will match both HTTP and HTTPS.</p>

<div class="note"><strong>Note:</strong> If this directive is absent the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>script-src</code> <em><code>source-list</code></em></pre>

<h3 id="strict-dynamic"><code>strict-dynamic</code></h3>

<p>The <code>strict-dynamic</code> directive specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall&nbsp;be propogated to all the scripts loaded by that&nbsp;root script. At the same time, any whitelist&nbsp;or source expressions such as <code>'self'</code>&nbsp;or&nbsp;<code>'unsafe-inline'</code>&nbsp;will be ignored. For example, a policy such as <code>script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/</code>&nbsp;would allow loading of a root script with <code>&lt;script nonce="R4nd0m" src="https://example.com/loader.js"&gt;</code>&nbsp; and propogate that trust to any script loaded by <code>loader.js</code>,&nbsp;but disallow loading scripts from <code>https://whitelisted.com/</code>.</p>

<pre>
script-src 'strict-dynamic' 'nonce-<em>someNonce</em>'</pre>

<p><em>Or</em></p>

<pre>
script-src 'strict-dynamic' 'sha256-<em>hash</em>'</pre>

<p>It is possible to deploy&nbsp;<code>strict-dynamic</code>&nbsp;in a backwards compatible way, without requiring user-agent sniffing.<br />
 The policy:</p>

<pre>
<code>script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'</code></pre>

<p>will act like<code>'unsafe-inline' https:</code>&nbsp;in browsers that support CSP1,&nbsp;<code>https: 'nonce-abcdefg'</code>&nbsp;in browsers that support CSP2, and&nbsp;<code>'nonce-abcdefg' 'strict-dynamic'</code>&nbsp;in browsers that support CSP3.</p>

<h3 id="style-src"><code>style-src</code></h3>

<p>The <code>style-src</code> directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the {{HTMLElement("style")}} element and HTML <code>style</code> attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the <code>style-src</code> or the <code>default-src</code> directive is included, inline use of the {{HTMLElement("style")}} element and HTML <code>style</code> attributes are disabled unless you specify 'unsafe-inline'.</p>

<div class="note"><strong>Note:</strong> If this directive is absent, the user agent will look for the <code>default-src</code> directive.</div>

<pre class="eval">
<code>style-src</code> <em><code>source-list</code></em></pre>

<h3 id="upgrade-insecure-requests"><code>upgrade-insecure-requests</code></h3>

<p>The <code>upgrade-insecure-requests</code> directive instructs user agents to treat all of a site's unsecure URL's (those serverd over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of unsecure legacy URL's that need to be rewritten.</p>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>Adds&nbsp;<code>strict-dynamic</code>.</td>
  </tr>
  <tr>
   <td>{{specName("Referrer Policy")}}</td>
   <td>{{Spec2("Referrer Policy")}}</td>
   <td>Adds values for the <code>referrer</code> policy.</td>
  </tr>
  <tr>
   <td>{{specName("Upgrade Insecure Requests")}}</td>
   <td>{{Spec2('Upgrade Insecure Requests')}}</td>
   <td>Adds <code>upgrade-insecure-requests</code>.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Adds <code>base-uri</code>, <code>child-src</code>, <code>form-action</code>, <code>frame-ancestors</code>, <code>plugin-types</code>, <code>referrer</code>, <code>reflected-xss</code>, and <code>report-uri</code>. Deprecates <code>frame-src</code>.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.0")}}</td>
   <td>{{Spec2('CSP 1.0')}}</td>
   <td>Defines <code>connect-src</code>, <code>default-src</code>, <code>font-src</code>, <code>frame-src</code>, <code>img-src</code>, <code>media-src</code>, <code>object-src</code>, report-uri,&nbsp;<code>sandbox</code>, <code>script-src,</code> and <code>style-src</code>.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p>{{CompatibilityTable}}</p>

<div id="compat-desktop">
<table class="compat-table">
 <tbody>
  <tr>
   <th>Feature</th>
   <th>Chrome</th>
   <th>Firefox (Gecko)</th>
   <th>Internet Explorer</th>
   <th>Edge</th>
   <th>Opera</th>
   <th>Safari</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>{{CompatChrome(14.0)}}<sup>[4]</sup><br />
    {{CompatChrome(25.0)}}<br />
    {{CompatChrome(45.0)}}<sup>[2]</sup></td>
   <td>{{CompatGeckoDesktop("2.0")}}<sup>[5]</sup><br />
    {{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatNo}}</td>
   <td>12</td>
   <td>15</td>
   <td>6<sup>[4]</sup><br />
    7</td>
  </tr>
  <tr>
   <td><code>base-uri</code></td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoDesktop("35.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>child-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("45.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>connect-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}<sup>[6]</sup></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>default-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>font-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>form-action</code></td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoDesktop("36.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>frame-ancestors</code></td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoDesktop("33.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>frame-src</code> {{obsolete_inline}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>img-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>manifest-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("41.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>media-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>object-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>plugin-types</code></td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>referrer</code></td>
   <td>{{CompatVersionUnknown}}<sup>[3]</sup></td>
   <td>{{CompatGeckoDesktop("37.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>reflected-xss</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>report-uri</code></td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>sandbox</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("50.0")}}</td>
   <td>10<sup>[5]</sup></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>script-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>strict-dynamic</code></td>
   <td>{{CompatChrome(52.0)}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>39</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>style-src</code></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoDesktop("23.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>upgrade-insecure-requests</code></td>
   <td>{{CompatChrome(43.0)}}</td>
   <td>{{CompatGeckoDesktop("42.0")}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatNo}}</td>
   <td>30</td>
   <td>{{CompatNo}}</td>
  </tr>
 </tbody>
</table>
</div>

<div id="compat-mobile">
<table class="compat-table">
 <tbody>
  <tr>
   <th>Feature</th>
   <th>Android Browser</th>
   <th>Android Webview</th>
   <th>Firefox Mobile (Gecko)</th>
   <th>IE Mobile</th>
   <th>Opera Mobile</th>
   <th>Safari Mobile</th>
   <th>Chrome for Android</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>{{CompatVersionUnknown}}<sup>[1]</sup></td>
   <td>{{CompatVersionUnknown}}<br />
    {{CompatChrome(45.0)}}<sup>[2]</sup></td>
   <td>{{CompatGeckoMobile("2.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>7.1</td>
   <td>{{CompatVersionUnknown}}<br />
    {{CompatChrome(45.0)}}<sup>[2]</sup></td>
  </tr>
  <tr>
   <td><code>base-uri</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoMobile("35.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>child-src</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>connect-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoMobile("23.0")}}<sup>[6]</sup></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>default-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>font-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>form-action</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoMobile("36.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>frame-ancestors</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatGeckoMobile("33.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>frame-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>img-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>manifest-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatGeckoDesktop("41.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
  </tr>
  <tr>
   <td><code>media-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>object-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>plugin-types</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>referrer</code></td>
   <td>{{CompatUnknown}}<sup>[3]</sup></td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoMobile("37.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}<sup>[3]</sup></td>
  </tr>
  <tr>
   <td><code>reflected-xss</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>report-uri</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(40.0)}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(40.0)}}</td>
  </tr>
  <tr>
   <td><code>sandbox</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatGeckoMobile("50.0")}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>script-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>strict-dynamic</code></td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(52.0)}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>39</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatChrome(52.0)}}</td>
  </tr>
  <tr>
   <td><code>style-src</code></td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatUnknown}}</td>
   <td>{{CompatVersionUnknown}}</td>
  </tr>
  <tr>
   <td><code>upgrade-insecure-requests</code></td>
   <td>{{CompatGeckoMobile(42)}}</td>
   <td>{{CompatChrome(43.0)}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatNo}}</td>
   <td>{{CompatChrome(43.0)}}</td>
  </tr>
 </tbody>
</table>
</div>

<p>[1] Deprecated since Android 4.0.</p>

<p>[2] Starting with version 45.0, Chrome excludes <code>blob</code> and <code>filesystem</code> from source directives. Sites needing to allow these content types can specify them using the Data attribute.</p>

<p>[3] Starting with Chrome 45, the referrer policy is constrained to the values defined in the Referrer Policy specification.</p>

<p>[4] Implemented as <code>X-Webkit-CSP</code> header.</p>

<p>[5] Implemented as <code>X-Content-Security-Policy</code> header.</p>

<p>[6] Prior to Firefox 50, the {{htmlattrxref("ping", "a")}} attribute of {{htmlelement("a")}} element wasn't abiding by it.</p>

<h2 id="See_also">See also</h2>

<ul>
 <li><a href="/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy">Introducing Content Security Policy</a></li>
 <li><a href="/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy">Using Content Security Policy</a></li>
 <li><a href="/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports">Using CSP violation reports</a></li>
</ul>
Revert to this revision