3.1.Content-Security-Policy Header Field

TheContent-Security-Policy header field is the preferred mechanism for delivering a policy. The grammar is as follows:

"Content-Security-Policy:" 1#policy-token

For example, a response might include the following header field:

A server MUST NOT send more than one HTTP header field namedContent-Security-Policy with a givenresource representation.

A server MAY send differentContent-Security-Policy header field values with differentrepresentations of the same resource or with different resources.

Upon receiving an HTTP response containing at least oneContent-Security-Policy header field, the user agent MUSTenforce each of the policies contained in each such header field.

3.2.Content-Security-Policy-Report-Only Header Field

TheContent-Security-Policy-Report-Only header field lets servers experiment with policies by monitoring (rather than enforcing) a policy. The grammar is as follows:

"Content-Security-Policy-Report-Only:" 1#policy-token

For example, server operators might wish to develop their security policy iteratively. The operators can deploy a report-only policy based on their best estimate of how their site behaves:

Content-Security-Policy-Report-Only:script-src 'self';report-uri /csp-report-endpoint/

If their site violates this policy the user agent willsend violation reports to the URL specified in the policy’sreport-uri directive, but allow the violating resources to load regardless. Once a site has confidence that the policy is appropriate, they can start enforcing the policy using theContent-Security-Policy header field.

A server MUST NOT send more than one HTTP header field namedContent-Security-Policy-Report-Only with a givenresource representation.

A server MAY send differentContent-Security-Policy-Report-Only header field values with differentrepresentations of the same resource or with different resources.

Upon receiving an HTTP response containing at least oneContent-Security-Policy-Report-Only header field, the user agent MUSTmonitor each of the policies contained in each such header field.

Note: TheContent-Security-Policy-Report-Only header isnot supported inside ameta element.

3.3. HTMLmeta Element

The server MAY supply policy via one or more HTMLmeta elements withhttp-equiv attributes that are anASCII case-insensitive match for the string "Content-Security-Policy". For example:

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

Add the following entry to thepragma directives for themeta element:

Content security policy (http-equiv="content-security-policy")

1. If the Document’shead element is not an ancestor of themeta element, abort these steps.
2. If themeta element lacks acontent attribute, abort these steps.
3. Letpolicy be the value of thecontent attribute of themeta element.
4. Letdirective-set be the result ofparsingpolicy.
5. Remove all occurrences ofreport-uri,frame-ancestors, andsandbox directives fromdirective-set.

   Note: User agents are encouraged to issue a warning to developers if one or more of these directives are included in a policy delivered viameta.

6. Enforce each of thedirectives indirective-set, asdefined for each directive type.

Authors arestrongly encouraged to placemeta elements as early in the document as possible, because policies inmeta elements are not applied to content which precedes them. In particular, note that resources fetched or prefetched using theLink HTTP response header field, and resources fetched or prefetched usinglink andscript elements which precede ameta-delivered policy will not be blocked.

Note: Apolicy specified via ameta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in§3.4 Enforcing multiple policies..

Note: Modifications to thecontent attribute of ameta element after the element has been parsed will be ignored.

Note: TheContent-Security-Policy-Report-Only header isnot supported inside ameta element.

3.4.Enforcing multiple policies.

This section is not normative.

The above sections note that when multiple policies are present, each must be enforced or reported, according to its type. An example will help clarify how that ought to work in practice. The behavior of anXMLHttpRequest might seem unclear given a site that, for whatever reason, delivered the following HTTP headers:

Content-Security-Policy:default-src 'self' http://example.com http://example.net;connect-src 'none';Content-Security-Policy:connect-src http://example.com/;script-src http://example.com/

Is a connection toexample.com allowed or not? The short answer is that the connection is not allowed. Enforcing both policies means that a potential connection would have to pass through both unscathed. Even though the second policy would allow this connection, the first policy containsconnect-src 'none', so its enforcement blocks the connection. The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.

To demonstrate that further, consider a script tag on this page. The first policy would lock scripts down to'self',http://example.com andhttp://example.net via thedefault-src directive. The second, however, would only allow script fromhttp://example.com/. Script will only load if it meets both policy’s criteria: in this case, the only origin that can match ishttp://example.com, as both policies allow it.

3.5.Policy applicability

This section is not normative.

Policies are associated with anprotected resource, andenforced ormonitored for that resource. If a resource does not create a new execution context (for example, when including a script, image, or stylesheet into a document), then any policies delivered with that resource are discarded without effect. Its execution is subject to the policy or policies of the including context. The following table outlines examples of these relationships:

4.1.Policy Syntax

A Content Security Policy consists of a U+003B SEMICOLON (;) delimited list of directives. Eachdirective consists of adirective name and (optionally) adirective value, defined by the following ABNF:

policy-token    = [directive-token *( ";" [directive-token ] ) ]directive-token = *WSP [directive-name [ WSPdirective-value ] ]directive-name  = 1*( ALPHA / DIGIT / "-" )directive-value = *( WSP / <VCHAR except ";" and ","> )

4.2.Source List Syntax

Many CSP directives use a value consisting of asource list, defined in the ABNF grammar below.

Eachsource expression in the source list represents a location from which content of the specified type can be retrieved. For example, the source expression'none' represents the empty set of URLs, and the source expression'unsafe-inline' represents content supplied inline in the resource itself.

source-list       = *WSP [source-expression *( 1*WSPsource-expression ) *WSP ]                  / *WSP "'none'" *WSPsource-expression =scheme-source /host-source /keyword-source /nonce-source /hash-sourcescheme-source     =scheme-part ":"host-source       = [scheme-part "://" ]host-part [port-part ] [path-part ]keyword-source    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"base64-value      = 1*( ALPHA / DIGIT / "+" / "/" )*2( "=" )nonce-value       =base64-valuehash-value        =base64-valuenonce-source      = "'nonce-"nonce-value "'"hash-algo         = "sha256" / "sha384" / "sha512"hash-source       = "'"hash-algo "-"hash-value "'"scheme-part       = <scheme production fromRFC 3986, section 3.1>host-part         = "*" / [ "*." ] 1*host-char *( "." 1*host-char )host-char         = ALPHA / DIGIT / "-"path-part         = <path production fromRFC 3986, section 3.3>port-part         = ":" ( 1*DIGIT / "*" )

If the policy contains anonce-source expression, the server MUST generate a fresh value for thenonce-value directive at random and independently each time it transmits a policy. The generated value SHOULD be at least 128 bits long (before encoding), and generated via a cryptographically secure random number generator. This requirement ensures that thenonce-value is difficult for an attacker to predict.

Note: Using a nonce to whitelist inline script or style is less secure than not using a nonce, as nonces override the restrictions in the directive in which they are present. An attacker who can gain access to the nonce can execute whatever script they like, whenever they like. That said, nonces provide a substantial improvement over'unsafe-inline' when layering a content security policy on top of old code. When considering'unsafe-inline', authors are encouraged to consider nonces (or hashes) instead.

Thehost-char production intentionally contains only ASCII characters; internationalized domain names cannot be entered directly into a policy string, but instead MUST be Punycode-encoded[RFC3492]. For example, the domainüüüüüü.de would be encoded asxn--tdaaaaaa.de.

NOTE: Though IP addresses do match the grammar above, only127.0.0.1 will actually match a URL when used in a source expression (see§4.2.2 Matching Source Expressions for details). The security properties of IP addresses are suspect, and authors ought to prefer hostnames to IP addresses whenever possible.

partial interfaceHTMLScriptElement {  attribute DOMStringnonce;};

partial interfaceHTMLStyleElement {  attribute DOMStringnonce;};

4.3.Media Type List Syntax

Theplugin-types directive uses a value consisting of amedia type list.

Eachmedia type in the media type list represents a specific type of resource that can be retrieved and used to instantiate aplugin in the protected resource.

media-type-list   =media-type *( 1*WSPmedia-type )media-type        = <type from RFC 2045> "/" <subtype from RFC 2045>

4.4.Reporting

Tostripuri for reporting, the user agent MUST use an algorithm equivalent to the following:

1. If theorigin ofuri is aglobally unique identifier (for example,uri has a scheme ofdata,blob, orfilesystem), then abort these steps, and return the ASCII serialization ofuri’s scheme.
2. If theorigin ofuri is not the same as theorigin of the protected resource, then abort these steps, and return theASCII serialization ofuri’s origin.
3. Returnuri, with anyfragment component removed.

Togenerate a violation report object, the user agent MUST use an algorithm equivalent to the following:

1. Prepare a JSON objectviolation with the following keys and values:

   blocked-uri

   The originally requested URL of the resource that was prevented from loading,stripped for reporting, or the empty string if the resource has no URL (inline script and inline style, for example).

   document-uri

   Theaddress of the protected resource,stripped for reporting.

   effective-directive

   The name of the policy directive that was violated. This will contain thedirective whose enforcement triggered the violation (e.g. "script-src") even if that directive does not explicitly appear in the policy, but is implicitly activated via thedefault-src directive.

   original-policy

   The originalpolicy, as received by the user agent.

   referrer

   Thereferrer attribute of the protected resource, or the empty string if the protected resource has no referrer.

   status-code

   Thestatus-code of the HTTP response that contained the protected resource, if the protected resource was obtained over HTTP. Otherwise, the number 0.

   violated-directive

   The policy directive that was violated, as it appears in the policy. This will contain thedefault-src directive in the case of violations caused by falling back to thedefault sources when enforcing a directive.

2. If a specific line or a specific file can be identified as the cause of the violation (for example, script execution that violates thescript-src directive), the user agent MAY add the following keys and values toviolation:

   source-file

   The URL of the resource where the violation occurred,stripped for reporting.

   line-number

   The line number insource-file on which the violation occurred.

   column-number

   The column number insource-file on which the violation occurred.

3. Returnviolation.

Note:blocked-uri will not contain the final location of a resource that was blocked after one or more redirects. It instead will contain only the location that the protected resource requested, before any redirects were followed.

Tosend violation reports, the user agent MUST use an algorithm equivalent to the following:

1. Prepare aJSON objectreport object with a single key,csp-report, whose value is the result ofgenerating a violation report object.
2. Letreport body be theJSON stringification ofreport object.
3. For eachreport URL in theset of report URLs:
   1. If the user agent has already sent a violation report for the protected resource toreport URL, and that report contained an entity body that exactly matchesreport body, the user agent MAY abort these steps and continue to the nextreport URL.
   2. Queue a task tofetchreport URL from the origin of the protected resource, with the synchronous flagnot set, using HTTP methodPOST, with aContent-Type header field ofapplication/csp-report, and an entity body consisting ofreport body. If the origin ofreport URL isnot the same as the origin of the protected resource, the block cookies flag MUST also be set. The user agent MUST NOT follow redirects when fetching this resource. (Note: The user agent ignores the fetched resource.) Thetask source for thesetasks is theContent Security Policy task source.

Toreport a violation, the user agent MUST:

1. Fire a violation event at the protected resource’sDocument.
2. If theset of report URLs is non-empty,send violation reports to each.

Note: This section of the specification should not be interpreted as limiting user agents' ability to apply restrictions to violation reports in order to limit data leakage above and beyond what these algorithms specify. For example, a user agent might offer users the option of disabling reporting entirely.

5.1.Workers

Whenever a user agentruns a worker:

• If the worker’s script’s origin is aglobally unique identifier (for example, the worker’s script’s URL has a scheme ofdata,blob, orfilesystem), then:
  • If the user agent is enforcing a CSP policy for theowner document orparent worker, the user agent MUST enforce the CSP policy for the worker.
  • If the user agent is monitoring a CSP policy for theowner document orparent worker, the user agent MUST monitor the CSP policy for the worker.
• Otherwise:
  • If the worker’s script is delivered with aContent-Security-Policy HTTP header containing the valuepolicy, the user agent MUSTenforcepolicy for the worker.
  • If the worker’s script is delivered with aContent-Security-Policy-Report-Only HTTP header containing the valuepolicy, the user agent MUSTmonitorpolicy for the worker.

5.2.srcdoc IFrames

Whenever a user agent createsaniframesrcdoc document in a browsing context nested in the protected resource, if the user agent isenforcing anypolicies for the protected resource, the user agent MUSTenforce thosepolicies on theiframesrcdoc document as well.

Whenever a user agent createsaniframesrcdoc document in a browsing context nested in the protected resource, if the user agent is monitoring any policies for the protected resource, the user agent MUSTmonitor those policies on theiframesrcdoc document as well.

6.1.SecurityPolicyViolationEvent Interface

[Constructor(DOMStringtype, optionalSecurityPolicyViolationEventIniteventInitDict)]interfaceSecurityPolicyViolationEvent :Event {    readonly    attribute DOMStringdocumentURI;    readonly    attribute DOMStringreferrer;    readonly    attribute DOMStringblockedURI;    readonly    attribute DOMStringviolatedDirective;    readonly    attribute DOMStringeffectiveDirective;    readonly    attribute DOMStringoriginalPolicy;    readonly    attribute DOMStringsourceFile;    readonly    attribute DOMStringstatusCode;    readonly    attribute longlineNumber;    readonly    attribute longcolumnNumber;};

documentURI, of typeDOMString, readonly

Refer to thedocument-uri property of violation reports for a description of this property.

referrer, of typeDOMString, readonly

Refer to thereferrer property of violation reports for a description of this property.

blockedURI, of typeDOMString, readonly

Refer to theblocked-uri property of violation reports for a description of this property.

violatedDirective, of typeDOMString, readonly

Refer to theviolated-directive property of violation reports for a description of this property.

effectiveDirective, of typeDOMString, readonly

Refer to theeffective-directive property of violation reports for a description of this property.

originalPolicy, of typeDOMString, readonly

Refer to theoriginal-policy property of violation reports for a description of this property.

statusCode, of typeDOMString, readonly

Refer to thestatus-code property of violation reports for a description of this property.

sourceFile, of typeDOMString, readonly

Refer to thesource-file property of violation reports for a description of this property.

lineNumber, of typelong, readonly

Refer to theline-number property of violation reports for a description of this property.

columnNumber, of typelong, readonly

Refer to thecolumn-number property of violation reports for a description of this property.

6.2.SecurityPolicyViolationEventInit Interface

dictionarySecurityPolicyViolationEventInit :EventInit {    DOMStringdocumentURI;    DOMStringreferrer;    DOMStringblockedURI;    DOMStringviolatedDirective;    DOMStringeffectiveDirective;    DOMStringoriginalPolicy;    DOMStringsourceFile;    longlineNumber;    longcolumnNumber;};

documentURI, of typeDOMString

Refer to thedocument-uri property of violation reports for a description of this property.

referrer, of typeDOMString

Refer to thereferrer property of violation reports for a description of this property.

blockedURI, of typeDOMString

Refer to theblocked-uri property of violation reports for a description of this property.

violatedDirective, of typeDOMString

Refer to theviolated-directive property of violation reports for a description of this property.

effectiveDirective, of typeDOMString

Refer to theeffective-directive property of violation reports for a description of this property.

originalPolicy, of typeDOMString

Refer to theoriginal-policy property of violation reports for a description of this property.

sourceFile, of typeDOMString

Refer to thesource-file property of violation reports for a description of this property.

lineNumber, of typelong

Refer to theline-number property of violation reports for a description of this property.

columnNumber, of typelong

Refer to thecolumn-number property of violation reports for a description of this property.

6.3.Firing Violation Events

Tofire a violation event, the user agent MUST use an algorithm equivalent to the following:

1. Letreport object be the result ofgenerating a violation report object.
2. Queue a task tofire an event namedsecuritypolicyviolation using theSecurityPolicyViolationEvent interface with the following initializations:
   • blockedURI MUST be initialized to the value ofreport object’sblocked-uri key.
   • documentURI MUST be initialized to the value ofreport object’sdocument-uri key.
   • effectiveDirective MUST be initialized to the value ofreport object’seffective-directive key.
   • originalPolicy MUST be initialized to the value ofreport object’soriginal-policy key.
   • referrer MUST be initialized to the value ofreport object’sreferrer key.
   • violatedDirective MUST be initialized to the value ofreport object’sviolated-directive key.
   • sourceFile MUST be initialized to the value ofreport object’ssource-file key.
   • lineNumber MUST be initialized to the value ofreport object’sline-number key.
   • columnNumber MUST be initialized to the value ofreport object’scolumn-number key.

Thetask source for thesetasks is theContent Security Policy task source.

7.1.base-uri

Thebase-uri directive restricts the URLs that can be used to specify thedocument base URL. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "base-uri"directive-value   =source-list

The termallowed base URLs refers to the result ofparsing thebase-uri directive’s value as a source list.

Note:base-uri does not fall back to thedefault sources.

Step 4 of the algorithm defined in HTML5 to obtain adocument’s base URL MUST be changed to:

4. If the previous step was not successful, or the result of the previous step does notmatch theallowed base URLs for theprotected resource, then thedocument base URL isfallback base URL. Otherwise, it is the result of the previous step.

7.2.child-src

Thechild-src directive governs the creation ofnested browsing contexts as well as Worker execution contexts. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "child-src"directive-value   =source-list

The termallowed child sources refers to the result ofparsing thechild-src directive’s value as a source list if achild-src directive is explicitly specified, and otherwise to thedefault sources.

7.3.connect-src

Theconnect-src directive restricts which URLs the protected resource can load using script interfaces. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "connect-src"directive-value   =source-list

The termallowed connection targets refers to the result ofparsing theconnect-src directive’s value as a source list if the policy contains an explicitconnect-src directive, or otherwise to thedefault sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed connection targets for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Processing thesend() method of anXMLHttpRequest object.
• Processing theWebSocket constructor.
• Processing theEventSource constructor.
• Pinging an endpoint duringhyperlink auditing.
• Sending a beacon via thesendBeacon() method[BEACON]

Content-Security-Policy:connect-src example.com

7.4.default-src

Thedefault-src directive sets a default source list for a number of directives. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "default-src"directive-value   =source-list

Let thedefault sources be the result ofparsing thedefault-src directive’s value as a source list if adefault-src directive is explicitly specified, and otherwise the U+002A ASTERISK character (*).

To enforce thedefault-src directive, the user agent MUST enforce the following directives:

• child-src
• connect-src
• font-src
• img-src
• media-src
• object-src
• script-src
• style-src

If not specified explicitly in the policy, the directives listed above will use thedefault sources as their source list.

Content-Security-Policy:default-src 'self'

Content-Security-Policy:default-src 'self';script-src example.com

7.5.font-src

Thefont-src directive restricts from where the protected resource can load fonts. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "font-src"directive-value   =source-list

The termallowed font sources refers to the result ofparsing thefont-src directive’s value as a source list if the policy contains an explicitfont-src, or otherwise to thedefault sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed font sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting data for display in a font, such as when processing the <<@font-face>> Cascading Style Sheets (CSS) rule.

7.6.form-action

Theform-action restricts which URLs can be used as the action of HTMLform elements. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "form-action"directive-value   =source-list

The termallowed form actions refers to the result ofparsing theform-action directive’s value as a source list.

Whenever the user agentfetches a URL in the course of processing an HTMLform element, if the URL does notmatch theallowed form actions for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation.

Note:form-action does not fall back to thedefault sources when the directive is not defined. That is, a policy that definesdefault-src 'none' but notform-action will still allow form submissions to any target.

7.7.frame-ancestors

Theframe-ancestors directive indicates whether the user agent should allow embedding the resource using aframe,iframe,object,embed orapplet element, or equivalent functionality in non-HTML resources. Resources can use this directive to avoid many UI Redressing[UIREDRESS] attacks by avoiding being embedded into potentially hostile contexts.

The syntax for the name and value of the directive are described by the following ABNF grammar:

ancestor-source-list = [ancestor-source *( 1*WSPancestor-source ) ] / "'none'"ancestor-source      =scheme-source /host-sourcedirective-name  = "frame-ancestors"directive-value =ancestor-source-list

The termallowed frame ancestors refers to the result ofparsing theframe-ancestors directive’s value as a source list. If aframe-ancestors directive is not explicitly included in the policy, thenallowed frame ancestors is "*".

To enforce theframe-ancestors directive, whenever the user agent would load the protected resource into anested browsing context, the user agent MUST perform the following steps:

1. LetnestedContext be the nested browsing context into which the protected resource is being loaded.
2. LetancestorList be the list of allancestors ofnestedContext.
3. For eachancestorContext inancestorList:
   1. Letdocument beancestorContext’sactive document.
   2. Ifdocument’s URL does notmatch theallowed frame ancestors for theprotected resource, the user agent MUST:
      1. Abort loading the protected resource.
      2. Take one of the following actions:
         1. Act as if it received an emptyHTTP 200 response.
         2. Redirect the user to a friendly error page which provides the option of opening the blocked page in a newtop-level browsing context.
      3. Parse a sandboxing directive using the empty string as theinput and the newly created document’sforced sandboxing flag set as theoutput.
      4. Report a violation.
      5. Abort these steps.

Steps 3.2.2 and 3.2.3 ensure that the blocked frame appears to be a normal cross-origin document’s load. If these steps are ignored, leakage of a document’s policy state is possible.

Theframe-ancestors directive MUST be ignored whenmonitoring a policy, and when a contained in a policy defined via ameta element.

Note:frame-ancestors does not fall back to thedefault sources when the directive is not defined. That is, a policy that definesdefault-src 'none' but notframe-ancestors will still allow the resource to be framed from anywhere.

When generating a violation report for aframe-ancestors violation, the user agent MUST NOT include the value of the embedding ancestor as ablocked-uri value unless it is same-origin with the protected resource, as disclosing the value of cross-origin ancestors is a violation of the Same-Origin Policy.

Content-Security-Policy:frame-ancestors https://alice https://bob

7.8.frame-src

Theframe-src directive isdeprecated. Authors who wish to govern nested browsing contexts SHOULD use thechild-src directive instead.

Theframe-src directive restricts from where the protected resource can embed frames. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "frame-src"directive-value   =source-list

The termallowed frame sources refers to the result ofparsing theframe-src directive’s value as a source list if the policy contains an explicitframe-src, or otherwise to the list ofallowed child sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed frame sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting data for display in anested browsing context in the protected resource created by aniframe or aframe element.
• Navigated such anested browsing context.

7.9.img-src

Theimg-src directive restricts from where the protected resource can load images. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "img-src"directive-value   =source-list

The termallowed image sources refers to the result ofparsing theimg-src directive’s value as a source list if the policy contains an explicitimg-src, or otherwise to the list ofdefault sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed image sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting data for an image, such as when processing thesrc orsrcset attributes of animg element, thesrc attribute of aninput element with a type ofimage, theposter attribute of avideo element, theurl(),image() orimage-set() values on any Cascading Style Sheets (CSS) property that is capable of loading an image[CSS4-IMAGES], or thehref attribute of alink element with an image-relatedrel attribute, such asicon.

7.10.media-src

Themedia-src directive restricts from where the protected resource can load video, audio, and associated text tracks. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "media-src"directive-value   =source-list

The termallowed media sources refers to the result ofparsing themedia-src directive’s value as a source list if the policy contains an explicitmedia-src, or otherwise to the list ofdefault sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed media sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting data for a video or audio clip, such as when processing thesrc attribute of avideo,audio,source, ortrack element.

7.11.object-src

Theobject-src directive restricts from where the protected resource can load plugins. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "object-src"directive-value   =source-list

The termallowed object sources refers to the result ofparsing theobject-src directive’s value as a source list if the policy contains an explicitobject-src, or otherwise to the list ofdefault sources.

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed object sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting data for a plugin, such as when processing thedata attribute of anobject element, thesrc attribute of anembed element, or thecode orarchive attributes of anapplet element.
• Requesting data for display in anested browsing context in the protected resource created by anobject or anembed element.
• Navigating such anested browsing context.

It is not required that the consumer of the element’s data be aplugin in order for theobject-src directive to be enforced. Data for anyobject,embed, orapplet element MUST match theallowed object sources in order to be fetched. This is true even when the element data is semantically equivalent to content which would otherwise be restricted by one of the other§7 Directives, such as anobject element with atext/html MIME type.

Whenever the user agent would load aplugin without an associated URL (e.g., because theobject element lacked adata attribute), if the protected resource’s URL does notmatch theallowed object sources for theprotected resource, the user agent MUST NOT load the plugin.

7.12.plugin-types

Theplugin-types directive restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "plugin-types"directive-value   = media-type-list

The termallowed plugin media types refers to the result ofparsing theplugin-types directive’s value as a media type list.

Whenever the user agent would instantiate aplugin to handleresource while enforcing theplugin-types directive, the user agent MUST instead act as though the plugin reported an errorandreport a violation if any of the following conditions hold:

• The plugin is embedded into the protected resource via anobject orembed element that does not explicitly declare aMIME type via atype attribute.
• resource’s media type does notmatch the list ofallowed plugin media types.
• The plugin is embedded into the protected resource via anobject orembed element, and the media type declared in the element’stype attribute is not anASCII case-insensitive match for theresource’s media type.
• The plugin is embedded into the protected resource via anapplet element, andresource’s media type is not anASCII case-insensitive match forapplication/x-java-applet.

Note: In any of these cases, acting as though the plugin reported an error will cause the user agent to display thefallback content.

Whenever the user agent creates aplugin document as theactive document of achild browsing context of theprotected resource, if the user agent is enforcing anyplugin-types directives for the protected resource, the user agent MUSTenforce thoseplugin-types directives on the plugin document as well.

Whenever the user agent creates aplugin document as theactive document of achild browsing context of theprotected resource, if the user agent is monitoring anyplugin-types directives for the protected resource, the user agent MUSTmonitor thoseplugin-types directives on the plugin document as well.

Content-Security-Policy:plugin-types application/pdf

Content-Security-Policy:plugin-types application/pdf application/x-shockwave-flash

<object data="resource" type="application/pdf"></object>

7.13.report-uri

Thereport-uri directive specifies a URL to which the user agent sends reports about policy violation. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "report-uri"directive-value   =uri-reference *( 1*WSPuri-reference )uri-reference     = <URI-reference from RFC 3986>

Theset of report URLs is the value of thereport-uri directive, each resolved relative to the protected resource’s URL.

The process of sending violation reports to the URLs specified in this directive’s value is defined in this document’s§4.4 Reporting section.

Note: Thereport-uri directive will be ignored if contained within ameta element.

7.14.sandbox

Thesandbox directive specifies an HTML sandbox policy that the user agent applies to the protected resource. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "sandbox"directive-value   = "" / sandbox-token *( 1*WSPsandbox-token )sandbox-token     = <token from RFC 7230>

When enforcing thesandbox directive, the user agent MUSTparse a sandboxing directive using thedirective-value as theinput and protected resource’sforced sandboxing flag set as the output.[HTML5]

Thesandbox directive will be ignored whenmonitoring a policy, and when contained in a policy defined via ameta element. Moreover, this directive has no effect whenmonitored, and has no reporting requirements.

7.14.1.Sandboxing and Workers

When delivered via an HTTP header, a Content Security Policy may indicate that sandboxing flags ought to be applied to a JavaScript execution environment that is not aDocument. Of particular interest is the script content intended for use as a Worker, Shared Worker, or Service Worker. Many of the sandboxing flags do not apply to such environments, butallow-scripts andallow-same-origin have special requirements.

When a resource is loaded while executing theruns aWorker algorithm, the user agent MUST act as if there was a fatal network error and no resource could be obtained if either of the following conditions holds:

1. Thesandbox directive delivered with the resource doesnot contain theallow-scripts flag.
2. Thesandbox directive delivered with the resource doesnot contain theallow-same-origin flag,and the creation of the new execution context requires it to be same-origin with its creating context.

Content-Security-Policy:sandbox

Content-Security-Policy:sandboxallow-scripts

7.15.script-src

Thescript-src directive restricts which scripts the protected resource can execute. The directive also controls other resources, such as XSLT style sheets[XSLT], which can cause the user agent to execute script. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "script-src"directive-value   =source-list

The termallowed script sources refers to the result ofparsing thescript-src directive’s value as a source list if the policy contains an explicitscript-src, or otherwise to thedefault sources.

If'unsafe-inline' isnot in the list ofallowed script sources, or if at least onenonce-source orhash-source is present in the list ofallowed script sources:

• Whenever the user agent would execute an inline script from ascript element that lacks avalid nonceand lacks avalid hash for theallowed script sources, instead the user agent MUST NOT execute script,and MUSTreport a violation.
• Whenever the user agent would execute an inline script from an inline event handler, instead the user agent MUST NOT execute script,and MUSTreport a violation.
• Whenever the user agent would execute script contained in ajavascript URL, instead the user agent MUST NOT execute the script,and MUSTreport a violation.

If'unsafe-eval' isnot inallowed script sources:

• Instead of evaluating their arguments, both operatoreval and functioneval[ECMA-262] MUST throw anEvalError exception.
• When called as a constructor, the functionFunction[ECMA-262] MUST throw anEvalError exception.
• When called with a first argument that is notcallable (a string, for example), thesetTimeout() function MUST return zero without creating a timer.
• When called with a first argument that is notcallable (a string, for example), thesetInterval() function MUST return zero without creating a timer.

Whenever the user agentfetches a URL (including when following redirects) in the course of one of the following activities, if the URL does notmatch theallowed script sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting a script while processing thesrc attribute of ascript element that lacks avalid nonce for theallowed script sources.
• Requesting a script while invoking theimportScripts method on a WorkerGlobalScope object.[WORKERS]
• Requesting an HTML component, such as when processing thehref attribute of alink element with arel attribute containing the tokenimport.[HTML-IMPORTS]
• Requesting an Extensible Stylesheet Language Transformations (XSLT)[XSLT], such as when processing the<?xml-stylesheet?> processing directive in an XML document[XML11], thehref attributes on<xsl:include> and<xsl:import> elements.

Content-Security-Policy:default-src 'self';script-src 'self' https://example.com 'nonce-$RANDOM'

Content-Security-Policy:default-src 'self';script-src 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'

<script>alert("Blocked because the policy doesn’t have 'unsafe-inline'.")</script><script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">alert("Still blocked because nonce is wrong.")</script><script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">alert("Allowed because nonce is valid.")</script><script src="https://example.com/allowed-because-of-src.js"></script><script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"    src="https://elsewhere.com/blocked-because-nonce-is-wrong.js"></script><script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"    src="https://elsewhere.com/allowed-because-nonce-is-valid.js"></script>

Content-Security-Policy:default-src 'self';script-src 'self' https://example.com 'sha256-base64 encoded hash'

echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | openssl enc -base64

Content-Security-Policy:script-src 'sha512-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='

<script>alert('Hello, world.');</script>

<script> alert('Hello, world.');</script><script>alert('Hello, world.'); </script><script> alert('Hello, world.'); </script><script>alert('Hello, world.');</script>

7.16.style-src

Thestyle-src directive restricts which styles the user may applies to the protected resource. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name    = "style-src"directive-value   =source-list

The termallowed style sources refers to the result ofparsing thestyle-src directive’s value as a source list if the policy contains an explicitstyle-src, or otherwise to thedefault sources.

If'unsafe-inline' isnot in the list ofallowed style sources, or if at least onenonce-source orhash-source is present in the list ofallowed style sources:

• Whenever the user agent would apply style from astyle element that lacks avalid nonceand lacks avalid hash for theallowed style sources, instead the user agentMUST ignore the style,and MUSTreport a violation.
• Whenever the user agent would apply style from astyle attribute, instead the user agentMUST ignore the style,and MUSTreport a violation.

Note: These restrictions on inline do not prevent the user agent from applying style from an external stylesheet (e.g., found via<link rel="stylesheet" ...>).

If'unsafe-eval' isnot inallowed style sources, then:

• Whenever the user agent would invoke the Cascading Style Sheets Object Model algorithmsinsert a CSS rule,parse a CSS rule,parse a CSS declaration block, orparse a group of selectors instead the user agent MUST throw aSecurityError exceptionand terminate the algorithm. This would include, for example, all invocations of CSSOM’s variouscssText setters andinsertRule methods.[CSSOM][HTML5]

Whenever the user agentfetches a URL in the course of one of the following activities, if the URL does notmatch theallowed style sources for theprotected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained,andreport a violation:

• Requesting an external stylesheet when processing thehref of alink element whoserel attribute contains the tokenstylesheet.
• Requesting an external stylesheet when processing the <<@import>> directive.
• Requesting an external stylesheet when processing aLink HTTP response header field[RFC5988].

  Note: As this stylesheet might be prefetched before aDocument actually exists, user agents will need to carefully consider how to instantiate a meaningfulpolicy against which to compare this request. See§10.1 Processing Complications for more detail.

Note: Thestyle-src directive does not restrict the use of XSLT. XSLT is restricted by thescript-src directive because the security consequences of including an untrusted XSLT stylesheet are similar to those incurred by including an untrusted script.

8.1.Sample Policy Definitions

This section provides some sample use cases and supportingpolicies.

Content-Security-Policy:default-src 'self'

Content-Security-Policy:default-src 'self'; img-src *;object-src media1.example.com media2.example.com *.cdn.example.com;script-src trustedscripts.example.com

Content-Security-Policy:default-src https: 'unsafe-inline' 'unsafe-eval'

Content-Security-Policy:script-src 'self' 'nonce-$RANDOM';

<script nonce="$RANDOM">...</script>

8.2.Sample Violation Report

This section contains an example violation report the user agent might sent to a server when the protected resource violations a sample policy.

In the following example, the user agent rendered a representation of the resourcehttp://example.org/page.html with the following policy:

default-src 'self';report-uri http://example.org/csp-report.cgi

The protected resource loaded an image fromhttp://evil.example.com/image.png, violating the policy.

{  "csp-report": {    "document-uri": "http://example.org/page.html",    "referrer": "http://evil.example.com/haxor.html",    "blocked-uri": "http://evil.example.com/image.png",    "violated-directive": "default-src 'self'",    "effective-directive": "img-src",    "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"  }}

9.1.Cascading Style Sheet (CSS) Parsing

Thestyle-src directive restricts the locations from which the protected resource can load styles. However, if the user agent uses a lax CSS parsing algorithm, an attacker might be able to trick the user agent into accepting malicious "stylesheets" hosted by an otherwise trustworthy origin.

These attacks are similar to theCSS cross-origin data leakage attack described by Chris Evans in 2009. User agents SHOULD defend against both attacks using the same mechanism: stricter CSS parsing rules for style sheets with improper MIME types.

9.2.Redirect Information Leakage

The violation reporting mechanism in this document has been designed to mitigate the risk that a malicious web site could use violation reports to probe the behavior of other servers. For example, consider a malicious web site that white listshttps://example.com as a source of images. If the malicious site attempts to loadhttps://example.com/login as an image, and theexample.com server redirects to an identity provider (e.g.,identityprovider.example.net), CSP will block the request. If violation reports contained the full blocked URL, the violation report might contain sensitive information contained in the redirected URL, such as session identifiers or purported identities. For this reason, the user agent includes only the origin of the blocked URL.

The mitigations are not complete, however: redirects which are blocked will produce side-effects which may be visible to JavaScript (viaimg.naturalHeight, for instance). An earlier version of this specification defined aCSP request header which servers could use (in conjunction with thereferer andorigin headers) to determine whether or not it was completely safe to redirect a user. This header caused some issues with CORS processing (tracked inwhatwg/fetch#52), and has been punted to the next version of this document.

11.1.Content-Security-Policy

Header field name

Content-Security-Policy

Applicable protocol

http

Status

standard

Author/Change controller

W3C

Specification document

This specification (SeeContent-Security-Policy Header Field)

11.2.Content-Security-Policy-Report-Only

Header field name

Content-Security-Policy-Report-Only

Applicable protocol

http

Status

standard

Author/Change controller

W3C

Specification document

This specification (SeeContent-Security-Policy-Report-Only Header Field)