12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks,
including Cross-Site Scripting (XSS) and data injection attacks.
These
attacks are used for everything from data theft, to site defacement, to malware distribution.

CSP is designed to be fully backward compatible (except CSP version 2 where there are some
explicitly-mentioned inconsistencies in backward compatibility; more details here section 1.1).
Browsers that don't support it still work with servers that implement it, and vice-versa: browsers
that don't support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy
for web content.
If the site doesn't offer the CSP header, browsers likewise use the standard
same-origin policy.

To enable CSP, you need to configure your web server to return the Content-Security-Policy
HTTP header.
(Sometimes you may see mentions of the X-Content-Security-Policy header,
but that's an older version and you don't need to specify it anymore.)

Alternatively, the <meta> element can be used to configure a policy, for example:

<meta http-equiv="Content-Security-Policy"

content="default-src 'self'; img-src https://*; child-src 'none';">

Threats
Mitigating cross-site scripting
A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's
trust in the content received from the server.
Malicious scripts are executed by the victim's
browser because the browser trusts the source of the content, even when it's not coming from
where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS
can occur by specifying the domains that the browser should consider to be valid sources of
executable scripts.
A CSP compatible browser will then only execute scripts loaded in source files
received from those allowed domains, ignoring all other scripts (including inline scripts and event-
handling HTML attributes)
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 1/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
handling HTML attributes).

As an ultimate form of protection, sites that want to never allow scripts to be

executed can opt to
globally disallow script execution.

Mitigating packet sniffing attacks

In addition to restricting the domains from which content can be loaded, the server can specify
which protocols are allowed to be used;
for example (and ideally, from a security standpoint), a
server can specify that all content must be loaded using HTTPS.
A complete data transmission
security strategy includes not only enforcing HTTPS for data transfer, but also marking all cookies
with the secure attribute and providing automatic redirects from HTTP pages to their HTTPS
counterparts.
Sites may also use the Strict-Transport-Security HTTP header to ensure that
browsers connect to them only over an encrypted channel.

Using CSP
Configuring Content Security Policy involves adding the Content-Security-Policy HTTP
header to a web page and giving it values to control what resources the user agent is allowed to
load for that page.
For example, a page that uploads and displays images could allow images
from anywhere, but restrict a form action to a specific endpoint.
A properly designed Content
Security Policy helps protect a page against a cross-site scripting attack.
This article explains how
to construct such headers properly, and provides examples.

Specifying your policy

You can use the Content-Security-Policy HTTP header to specify your policy, like this:

Content-Security-Policy: policy

The policy is a string containing the policy directives describing your Content Security Policy.

Writing a policy
A policy is described using a series of policy directives, each of which describes the policy for a
certain resource type or policy area.
Your policy should include a default-src policy directive,
which is a fallback for other resource types when they don't have policies of their own (for a
complete list, see the description of the default-src directive).
A policy needs to include a
default-src or script-src directive to prevent inline scripts from running, as well as blocking
the use of eval() .
A policy needs to include a default-src or style-src directive to restrict
inline styles from being applied from a <style> element or a style attribute.
There are specific
directives for a wide variety of types of items so that each type can have its own policy including
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 2/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
directives for a wide variety of types of items, so that each type can have its own policy, including
fonts, frames, images, audio and video media, scripts, and workers.

Examples: Common use cases

This section provides examples of some common security policy scenarios.

Example 1
A web site administrator wants all content to come from the site's own origin (this excludes
subdomains.)

Content-Security-Policy: default-src 'self'

Example 2
A web site administrator wants to allow content from a trusted domain and all its subdomains (it
doesn't have to be the same domain that the CSP is set on.)

Content-Security-Policy: default-src 'self' trusted.com *.trusted.com

Example 3
A web site administrator wants to allow users of a web application to include images from any
origin in their own content,
but to restrict audio or video media to trusted providers, and all scripts
only to a specific server that hosts trusted code.

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com me

Here, by default, content is only permitted from the document's origin, with the following
exceptions:

Images may load from anywhere (note the "*" wildcard).

Media is only allowed from media1.com and media2.com (and not from subdomains of those
sites).
Executable script is only allowed from userscripts.example.com.

Example 4
A web site administrator for an online banking site wants to ensure that all its content is loaded
i TLS i d t t tt k
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
f d i t 3/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
using TLS, in order to prevent attackers from eavesdropping on requests.

Content-Security-Policy: default-src https://onlinebanking.jumbobank.com

The server permits access only to documents being loaded specifically over HTTPS through the
single origin onlinebanking.jumbobank.com.

Example 5
A web site administrator of a web mail site wants to allow HTML in email, as well as images
loaded from anywhere, but not JavaScript or other potentially dangerous content.

Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *

Note that this example doesn't specify a script-src ; with the example CSP,
this site uses the
setting specified by the default-src directive, which means that scripts can be loaded only from
the originating server.

Testing your policy

To ease deployment, CSP can be deployed in report-only mode.
The policy is not enforced, but
any violations are reported to a provided URI.
Additionally, a report-only header can be used to
test a future revision to a policy without actually deploying it.

You can use the Content-Security-Policy-Report-Only HTTP header to specify your policy,
like this:

Content-Security-Policy-Report-Only: policy

If both a Content-Security-Policy-Report-Only header and a Content-Security-Policy

header are present in the same response, both policies are honored.
The policy specified in
Content-Security-Policy headers is enforced while the
Content-Security-Policy-Report-Only policy generates reports but is not enforced.

Enabling reporting
By default, violation reports aren't sent. To enable violation reporting, you need to specify the
report-uri policy directive, providing at least one URI to which to deliver the reports:

Content-Security-Policy: default-src 'self'; report-uri http://reportcollector

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 4/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Then you need to set up your server to receive the reports; it can store or process them in
whatever manner you determine is appropriate.

Violation report syntax

The report JSON object contains the following data:

blocked-uri
The URI of the resource that was blocked from loading by the Content Security Policy.
If the
blocked URI is from a different origin than the document-uri , then the blocked URI is
truncated to contain just the scheme, host, and port.

disposition
Either "enforce" or "report" depending on whether the
Content-Security-Policy-Report-Only header or the Content-Security-Policy
header is used.

document-uri
The URI of the document in which the violation occurred.

effective-directive
The directive whose enforcement caused the violation.
Some browsers may provide
different values, such as Chrome providing style-src-elem / style-src-attr , even
when the actually enforced directive was style-src .

original-policy
The original policy as specified by the Content-Security-Policy HTTP header.

referrer
The referrer of the document in which the violation occurred.

script-sample
The first 40 characters of the inline script, event handler, or style that caused the violation.
Only applicable to script-src* and style-src* violations, when they contain the
'report-sample'

status-code
The HTTP status code of the resource on which the global object was instantiated.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 5/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

violated-directive
The name of the policy section that was violated.

Sample violation report

Let's consider a page located at http://example.com/signup.html .
It uses the following
policy, disallowing everything but stylesheets from cdn.example.com .

Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-

The HTML of signup.html looks like this:

<!DOCTYPE html>

<html>

<head>
<title>Sign Up</title>

<link rel="stylesheet" href="css/style.css">

</head>

<body>
... Content ...

</body>

</html>

Can you spot the mistake? Stylesheets are allowed to be loaded only from cdn.example.com ,
yet the website tries to load one from its own origin ( http://example.com ).
A browser capable
of enforcing CSP would send the following violation report as a POST request to
http://example.com/_/csp-reports , when the document is visited:

"csp-report": {

"document-uri": "http://example.com/signup.html",

"referrer": "",

"blocked-uri": "http://example.com/css/style.css",

"violated-directive": "style-src cdn.example.com",

"original-policy": "default-src 'none'; style-src cdn.example.com; report-u

}

As you can see, the report includes the full path to the violating resource in blocked-uri .
This is
not always the case.
For example, if the signup.html attempted to load CSS from
htt // th d l
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP / t l h t th b ld t i l d th f ll 6/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
http://anothercdn.example.com/stylesheet.css , the browser would not include the full
path, but only the origin
( http://anothercdn.example.com ).
The CSP specification
gives an explanation of this odd behavior.
In summary, this is done to prevent leaking sensitive
information about cross-origin resources.

Browser compatibility
Report problems with this compatibility data on GitHub

Content-Security-Policy

Chrome 25

Edge 14

Firefox 23

Internet Explorer 10

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android Yes

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.base-uri

Chrome 40

Edge 79

Firefox 35

Internet Explorer No

Opera 27

Safari 10

WebView Android Yes

Chrome Android Yes

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 7/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Chrome Android Yes

Firefox for Android 35

Opera Android ?

Safari on iOS 9.3

Samsung Internet Yes

Content-Security-Policy.block-all-mixed-content

Chrome Yes

Edge 79

Firefox 48

Internet Explorer No

Opera Yes

Safari ?

WebView Android Yes

Chrome Android Yes

Firefox for Android 48

Opera Android ?

Safari on iOS ?

Samsung Internet Yes

Content-Security-Policy.child-src

Chrome 40

Edge 15

Firefox 45

Internet Explorer No

Opera 27

Safari 10

WebView Android Yes

Chrome Android Yes

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 8/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Firefox for Android 45

Opera Android ?

Safari on iOS 9.3

Samsung Internet Yes

Content-Security-Policy.connect-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.default-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 9/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.font-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.form-action

Chrome 40

Edge 15

Firefox 36

Internet Explorer No

Opera 27

Safari 10

WebView Android Yes

Chrome Android Yes

Firefox for Android 36

Opera Android ?

Safari on iOS 93
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 10/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Safari on iOS 9.3

Samsung Internet Yes

Content-Security-Policy.frame-ancestors

Chrome 40

Edge 15

Firefox 33

Internet Explorer No

Opera 26

Safari 10

WebView Android ?

Chrome Android Yes

Firefox for Android 33

Opera Android ?

Safari on iOS 9.3

Samsung Internet Yes

Content-Security-Policy.frame-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 11/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Samsung Internet Yes

Content-Security-Policy.img-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.manifest-src

Chrome Yes

Edge 79

Firefox 41

Internet Explorer No

Opera Yes

Safari No

WebView Android Yes

Chrome Android Yes

Firefox for Android 41

Opera Android ?

Safari on iOS No

Samsung Internet Yes

C t t S it P li di
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 12/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Content-Security-Policy.media-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

<meta> element support

Chrome Yes

Edge 18

Firefox 45

Internet Explorer No

Opera Yes

Safari Yes

WebView Android Yes

Chrome Android Yes

Firefox for Android 45

Opera Android Yes

Safari on iOS Yes

Samsung Internet Yes

Content-Security-Policy.navigate-to

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 13/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Chrome No

Edge No

Firefox No

Internet Explorer No

Opera No

Safari No

WebView Android No

Chrome Android No

Firefox for Android No

Opera Android No

Safari on iOS No

Samsung Internet No

Content-Security-Policy.object-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.plugin-types

Chrome 40 – 90

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 14/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Edge 15 – 90

Firefox No

Internet Explorer No

Opera 27 – 76

Safari 10

WebView Android ? – 90

Chrome Android ? – 90

Firefox for Android No

Opera Android ?

Safari on iOS 9.3

Samsung Internet ? – 15.0

Content-Security-Policy.prefetch-src

Chrome No

Edge No

Firefox No

Internet Explorer No

Opera No

Safari No

WebView Android No

Chrome Android No

Firefox for Android No

Opera Android No

Safari on iOS No

Samsung Internet No

Content-Security-Policy.referrer

Chrome 33 – 56

Edge No
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 15/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Firefox 37 – 62

Internet Explorer No

Opera ? – 43

Safari No

WebView Android 4.4.3 – 56

Chrome Android 33 – 56

Firefox for Android 37 – 62

Opera Android ? – 43

Safari on iOS No

Samsung Internet 2.0 – 6.0

Content-Security-Policy.report-sample

Chrome 59

Edge 79

Firefox ?

Internet Explorer ?

Opera 46

Safari ?

WebView Android 59

Chrome Android 59

Firefox for Android ?

Opera Android 43

Safari on iOS ?

Samsung Internet 7.0

Content-Security-Policy.report-to

Chrome 70

Edge 79

Firefox No

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 16/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Internet Explorer No

Opera No

Safari No

WebView Android 70

Chrome Android 70

Firefox for Android No

Opera Android No

Safari on iOS No

Samsung Internet 10.0

Content-Security-Policy.report-uri

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.require-sri-for

Chrome 54

Edge 79

Firefox 49 – 68

Internet Explorer No
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 17/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Opera 41

Safari No

WebView Android 54

Chrome Android 54

Firefox for Android 49 – 68

Opera Android 41

Safari on iOS No

Samsung Internet 6.0

Content-Security-Policy.require-trusted-types-for

Chrome 83

Edge 83

Firefox No

Internet Explorer No

Opera 69

Safari No

WebView Android 83

Chrome Android 83

Firefox for Android No

Opera Android 59

Safari on iOS No

Samsung Internet 13.0

Content-Security-Policy.sandbox

Chrome 25

Edge 14

Firefox 50

Internet Explorer 10

Opera 15

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 18/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 50

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.script-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

With external scripts

Chrome 59

Edge 79

Firefox ?

Internet Explorer No

Opera ?

Safari ?

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 19/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

WebView Android 59

Chrome Android 59

Firefox for Android ?

Opera Android ?

Safari on iOS ?

Samsung Internet 7.0

Content-Security-Policy.script-src-attr

Chrome 75

Edge 79

Firefox No

Internet Explorer No

Opera 62

Safari No

WebView Android 75

Chrome Android 75

Firefox for Android No

Opera Android ?

Safari on iOS No

Samsung Internet 11.0

Content-Security-Policy.script-src-elem

Chrome 75

Edge 79

Firefox No

Internet Explorer No

Opera 62

Safari No

WebView Android 75
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 20/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Chrome Android 75

Firefox for Android No

Opera Android ?

Safari on iOS No

Samsung Internet 11.0

Content-Security-Policy.strict-dynamic

Chrome 52

Edge 79

Firefox 52

Internet Explorer No

Opera 39

Safari TP

WebView Android 52

Chrome Android 52

Firefox for Android No

Opera Android 41

Safari on iOS No

Samsung Internet 6.0

Content-Security-Policy.style-src

Chrome 25

Edge 14

Firefox 23

Internet Explorer No

Opera 15

Safari 7

WebView Android Yes

Chrome Android Yes

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 21/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Firefox for Android 23

Opera Android ?

Safari on iOS 7

Samsung Internet Yes

Content-Security-Policy.style-src-attr

Chrome 75

Edge 79

Firefox No

Internet Explorer No

Opera 62

Safari No

WebView Android 75

Chrome Android 75

Firefox for Android No

Opera Android ?

Safari on iOS No

Samsung Internet 11.0

Content-Security-Policy.style-src-elem

Chrome 75

Edge 79

Firefox No

Internet Explorer No

Opera 62

Safari No

WebView Android 75

Chrome Android 75

Firefox for Android No

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 22/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN

Opera Android ?

Safari on iOS No

Samsung Internet 11.0

Content-Security-Policy.trusted-types

Chrome 83

Edge 83

Firefox No

Internet Explorer No

Opera 69

Safari No

WebView Android 83

Chrome Android 83

Firefox for Android No

Opera Android No

Safari on iOS No

Samsung Internet 13.0

Content-Security-Policy.unsafe-hashes

Chrome 69

Edge 79

Firefox No

Internet Explorer No

Opera 56

Safari No

WebView Android 69

Chrome Android 69

Firefox for Android No

Opera Android 48

Safari on iOS No
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 23/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Safari on iOS No

Samsung Internet 10.0

Content-Security-Policy.upgrade-insecure-requests

Chrome 43

Edge 17

Firefox 42

Internet Explorer No

Opera 30

Safari 10.1

WebView Android 43

Chrome Android 43

Firefox for Android 42

Opera Android 30

Safari on iOS 10.3

Samsung Internet 4.0

Worker support

Chrome Yes

Edge 79

Firefox 50

Internet Explorer No

Opera ?

Safari 10

WebView Android Yes

Chrome Android Yes

Firefox for Android 50

Opera Android ?

Safari on iOS 10

Samsung Internet Yes

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 24/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
Samsung Internet Yes

Content-Security-Policy.worker-src

Chrome 59

Edge 79

Firefox 58

Internet Explorer No

Opera 48

Safari No

WebView Android 59

Chrome Android 59

Firefox for Android 58

Opera Android 45

Safari on iOS No

Samsung Internet 7.0

Full support

No support

Compatibility unknown

Experimental. Expect behavior to

change in the future.

Non-standard. Check cross-browser

support before using.

Deprecated. Not for use in new

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 25/26
12/11/21, 9:38 AM Content Security Policy (CSP) - HTTP | MDN
p
websites.

See implementation notes.

User must explicitly enable this

feature.

Uses a non-standard name.

A specific incompatibility exists in some versions of the Safari web browser, whereby if a Content
Security Policy header is set, but not a Same Origin header,
the browser will block self-hosted
content and off-site content, and incorrectly report that this is due to the Content Security Policy
not allowing the content.

See also
Content-Security-Policy HTTP Header
Content-Security-Policy-Report-Only HTTP Header
Content Security in WebExtensions
CSP in Web Workers

Privacy, permissions, and information security

CSP Evaluator - Evaluate your Content Security Policy
CSP Scanner - Improve your Content Security Policy

Last modified: Dec 1, 2021, by MDN contributors

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 26/26