Currently supports SHA256, SHA384 or SHA512. Prevents loading resources from any source.Īllows loading resources from the same origin (same scheme, host and port).Īllows loading resources via the data scheme (eg Base64 encoded images).Īllows loading resources from the specified domain name.Īllows loading resources from any subdomain under .Īllows loading resources only over HTTPS matching the given domain.Īllows loading resources only over HTTPS on any domain.Īllows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIsĪllows unsafe dynamic code evaluation such as JavaScript eval()Īllows an inline script or CSS to execute if its hash matches the specified hash in the header. Wildcard, allows any URL except data: blob: filesystem: schemes. Multiple source list values can be space separated with the exception of 'none' which should be the only value.
Implementation Status Example navigate-to Policy navigate-to CSP Level 3Īll of the directives that end with -src support similar values known as a source list. If form-action is present then this directive is ignored for form submissions. For example when a link is clicked, a form is submitted, or window.location is invoked. Restricts the URLs that the document may navigate to by any means.
0 kommentar(er)
