Content Security Policy

From Web Security
Revision as of 21:00, 6 December 2012 by Mwest2 (Talk | contribs)

Jump to: navigation, search

Content Security Policy


A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are included in CSP 1.0.

  • default-src
  • script-src
  • object-src
  • img-src
  • media-src
  • style-src
  • frame-src
  • font-src
  • connect-src
  • report-uri
  • sandbox (optional)

Proposals for Version 1.1

These directives have been proposed for inclusion in CSP 1.1:

  • <meta> tag strawman spec
  • More granular source expressions (file-level paths) strawman spec
  • A script interface for reading policy details: strawman spec
  • form-action (Restricts URLs that can be used as actions for forms) strawman spec
  • script-nonce strawman spec
  • plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
  • reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
  • Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
  • Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')


Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.