Content Security Policy

From Web Security
Revision as of 00:57, 4 May 2012 by Abarth (Talk | contribs)

Jump to: navigation, search

Content Security Policy


A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are currently slated for inclusion in CSP 1.0.

  • default-src
  • script-src
  • object-src
  • img-src
  • media-src
  • style-src
  • frame-src
  • font-src
  • connect-src
  • report-uri

Proposals for Version 1.1

This directives have been proposed for inclusion in CSP 1.1.

  • sandbox (Might get moved to 1.0; see ISSUE-6)
  • A DOM API for reading the policy? Maybe just a bit about whether eval is turned on? Proposal:
  • script-nonce
  • frame-ancestor and/or frame-options (should coordinate with the IETF websec working group)
  • form-action (Restricts the URIs that can be used as actions for forms)
  • plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page)
  • More granular source like (e.g., by directory)
  • <meta> tag


Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.