Content Security Policy

Default Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Allow Javascript modules to inherit URL permissions
type: boolean
The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as 'self' or 'unsafe-inline' are ignored. See script-src for an example.
Security
Allow JavaScript eval()
type: boolean

The 'unsafe-eval' source expression controls several script execution methods that create code from strings. If 'unsafe-eval' isn't specified with the script-src directive, the following methods are blocked and won't have any effect:

  • eval()
  • Function()
  • When passing a string literal like to methods like: window.setTimeout("alert(\"Hello World!\");", 500);
    • window.setTimeout
    • window.setInterval
    • window.setImmediate
  • window.execScript (IE < 11 only)

Allow inline @style and events (@onclick)

Allows the use of inline resources, such as inline event handlers, eg. @onclick, inline <script> elements for javascript, and @style and inline <style> elements for CSS.

Add secure dynamic nonce token to allow in-document styles and script

An allow-list for specific inline scripts using a cryptographic nonce (number used once).

The server must generate a unique nonce value each time it transmits a policy.

It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial.

Allow inline styles etc. based on SHA hashing

Allows enabling specific inline event handlers.

If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

Hashes

Allowed SHAs (checksum reflecting the allowed style or Javascript)
type: text
type: text
type: text

A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style.

In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Base URI

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Security
Allow inline @style and events (@onclick)

Allows the use of inline resources, such as inline event handlers, eg. @onclick, inline <script> elements for javascript, and @style and inline <style> elements for CSS.

Add secure dynamic nonce token to allow in-document styles and script

An allow-list for specific inline scripts using a cryptographic nonce (number used once).

The server must generate a unique nonce value each time it transmits a policy.

It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial.

Allow inline styles etc. based on SHA hashing

Allows enabling specific inline event handlers.

If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

Hashes

Allowed SHAs (checksum reflecting the allowed style or Javascript)
type: text
type: text

A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style.

In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Mixed Content

type: boolean

Upgrade Insecure Requests

type: boolean

Script Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Allow Javascript modules to inherit URL permissions
type: boolean
The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as 'self' or 'unsafe-inline' are ignored. See script-src for an example.
Security
Allow JavaScript eval()
type: boolean

The 'unsafe-eval' source expression controls several script execution methods that create code from strings. If 'unsafe-eval' isn't specified with the script-src directive, the following methods are blocked and won't have any effect:

  • eval()
  • Function()
  • When passing a string literal like to methods like: window.setTimeout("alert(\"Hello World!\");", 500);
    • window.setTimeout
    • window.setInterval
    • window.setImmediate
  • window.execScript (IE < 11 only)

Allow inline @style and events (@onclick)

Allows the use of inline resources, such as inline event handlers, eg. @onclick, inline <script> elements for javascript, and @style and inline <style> elements for CSS.

Add secure dynamic nonce token to allow in-document styles and script

An allow-list for specific inline scripts using a cryptographic nonce (number used once).

The server must generate a unique nonce value each time it transmits a policy.

It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial.

Allow inline styles etc. based on SHA hashing

Allows enabling specific inline event handlers.

If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

Hashes

Allowed SHAs (checksum reflecting the allowed style or Javascript)
type: text
type: text

A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style.

In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Trusted Types

Status
Refers to the empty set.
Custom CSP header for this topic
Restrictions
type: boolean
Allow trusted types duplicates

Trusted Type Name

Allowed Types
pattern: [a-zA-Z]\w+
type: text
List of trusted types by name

Connect Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Security
Allow inline @style and events (@onclick)

Allows the use of inline resources, such as inline event handlers, eg. @onclick, inline <script> elements for javascript, and @style and inline <style> elements for CSS.

Add secure dynamic nonce token to allow in-document styles and script

An allow-list for specific inline scripts using a cryptographic nonce (number used once).

The server must generate a unique nonce value each time it transmits a policy.

It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial.

Allow inline styles etc. based on SHA hashing

Allows enabling specific inline event handlers.

If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

Hashes

Allowed SHAs (checksum reflecting the allowed style or Javascript)
type: text
type: text

A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style.

In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Worker Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Child Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Manifest Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Style Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Security
Allow inline @style and events (@onclick)

Allows the use of inline resources, such as inline event handlers, eg. @onclick, inline <script> elements for javascript, and @style and inline <style> elements for CSS.

Add secure dynamic nonce token to allow in-document styles and script

An allow-list for specific inline scripts using a cryptographic nonce (number used once).

The server must generate a unique nonce value each time it transmits a policy.

It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial.

Allow inline styles etc. based on SHA hashing

Allows enabling specific inline event handlers.

If you only need to allow inline event handlers and not inline <script> elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

Hashes

Allowed SHAs (checksum reflecting the allowed style or Javascript)
type: text
type: text

A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style.

In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Font Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Prefetch Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Sandbox

Status
Refers to the empty set.
Custom CSP header for this topic
Restrictions
type: boolean
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.

URL

type: boolean
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

JavaScript

type: boolean
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
type: boolean
Lets the resource request access to the parent's storage capabilities with the Storage Access API.
type: boolean
Allows for downloads to occur without a gesture from the user.

Content

type: boolean
Allows the page to submit forms. If this keyword is not used, this operation is not allowed.

Windows

type: boolean
Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
type: boolean
Allows the page to open modal windows.

Monitor

type: boolean
Allows the page to disable the ability to lock the screen orientation.
type: boolean
Allows the page to use the Pointer Lock API.
type: boolean
Allows embedders to have control over whether an iframe can start a presentation session.

Navigation

type: boolean
Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
type: boolean
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

Image Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Form Action

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Media Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Security
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Navigate to

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Object Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Plugin

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic

MIME Type

required: true
type: text
pattern:{type}/{subtype}
Full MIME type, eg. image/png, image/svg+xml

Frame Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic

Frame allowance will be needed for embedded YouTube videos.

Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Frame Ancestors

Not available as client side Meta tag.

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Fenced Frame Source

Status
No CSP header set for this topic.
Refers to the empty set; that is, no URLs match. The single quotes are required.
Custom CSP header for this topic
Restrictions
URLs
Same domain (only)
type: boolean

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data: attribute.

Allow all http sources
type: boolean
This is a wild card for all http (insecure) sources
Allow all https sources
type: boolean
This is a wild card for all https (secure) sources.

External URLs

Allowed URLs. Wild cards (*) allowed
type: text
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.
Media URLs
Allow JavaScript data URLs
type: boolean

Allows data URIs to be used as a content source.

This is insecure; an attacker can also inject arbitrary data URIs. Use this sparingly and definitely not for scripts.

data:[<mediatype>][;<encoding>],<data>

data:text/html,<script>alert('hi');</script>

Allow JavaScript binary URLs
type: boolean
Allows blob URIs to be used as a content source.
Allow JavaScipt Filesystem Object URLs
type: boolean
Allows filesystem URIs to be used as a content source.
Allow JavaScript Media Stream Object URLs
type: boolean
Allows mediastream: URIs to be used as a content source.
Other
Include sample of violation
type: boolean
Requires a sample of the violating code to be included in the violation report.

Report To

Not available as client side Meta tag.

Status
Refers to the empty set.
Custom CSP header for this topic
datatype: integer
required: true
Max Age (days) until being deletedDays untill deleted

URL

required: true
datatype: url
minOccurs: 1
minOccurs: 1
URL for CSP report service

Output format
Output format
Output format
Output format
type: boolean
Send Email on Violations

 

 




Oops

Your browser is not supported

A modern browser with Javascript ES6 is required

Any major browser from 2015 onwards will be suitable