Date: 2015-10-28
Last Update: 2015-12-12
Cosmetic Update: 2018-09-18
The Whitelist System -> Whitelist CSP Examples
THERE ARE MORE EXAMPLES COMING. DESCRIPTIONS WILL BE ADDED.
THE CSP SHOULD BE ON EVERY HTML PAGE, WITH FEW EXCEPTIONS.
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: https://ssl.gstatic.com;
style-src 'self' 'unsafe-inline';
media-src *">
<!-- Enable all requests, inline styles, inline javascript and eval() -->
<meta http-equiv="Content-Security-Policy"
content="default-src *;
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- My Extension, if any different -->
<!-- Same as above, except accept from any source -->
<meta http-equiv="Content-Security-Policy"
content="default-src *;
style-src * 'self' 'unsafe-inline' 'unsafe-eval';
script-src * 'self' 'unsafe-inline' 'unsafe-eval';">
| directive | usage | Also Applies to |
|---|---|---|
| base-uri | unclear | - |
| child-src | used, if it contains value, otherwise 'default-src' | - |
| connect-src | used, if it contains value, otherwise 'default-src' | - |
| default-src | this directive is the fallback for many directives. | The follow directives use this directive as a fallback. child-src, connect-src, font-src, img-src, media-src, object-src, script-src, style-src |
| font-src | used, if it contains value, otherwise 'default-src' | - |
| form-action | used, if it contains value, otherwise "acts" as if fatal error and report violation | - |
| frame-ancestors¥ | frame, iframe, object, embed or applet |
|
| frame-src | is deprecated | - |
| img-src | used, if it contains value, otherwise 'default-src' | - |
| media-src | used, if it contains value, otherwise 'default-src' | - |
| object-src | used, if it contains value, otherwise 'default-src' | overlaps with Unclear as to outcome. |
| plugin-types | restricts plugins via MIME type | - |
| report-uri¥ | - | - |
| sandbox¥ | - | - |
| script-src | used, if it contains value, otherwise 'default-src' | 'unsafe-inline' and 'unsafe-eval' are required to over-ride the default setting, regardless of 'default-src' |
| style-src | used, if it contains value, otherwise 'default-src' | 'unsafe-inline' and 'unsafe-eval' are required to over-ride the default setting, regardless of 'default-src' |
- ¥ = W3 CSP 3.3. HTML meta Element says,
5. Remove all occurrences of report-uri, frame-ancestors, and sandbox directives from directive-set.
Safer inline Javascript and CSS
- nonce - cryptographically randomly generated value used to sign inline items
- hash - cryptographically generated hash value used to sign inline items
Need add examples.
- W3.org CSP2
- Mozilla CSP Policy Directives
- Google Chrome Content Security Policy (CSP)
- http://content-security-policy.com/
- CSP Playground
- CanIUse
- Crosswalk Content security policy
- An Introduction to Content Security Policy - Updated: May 8th, 2015
- Using Content Security Policy to Make Apps More Secure - Oct 13, 2015
- [CSP] On Reporting and Filtering - September 21, 2015
- [CSP] Unsafe-inline and nonce deployment - September 22, 2015
- 2015-11-28 - fixed typo, was source-src should have been script-src