Revision 791098 of Content Security Policy (CSP)

<p>{{ gecko_minversion_header("2.0") }}</p>

<p>Configuring Content Security Policy involves&nbsp;adding the <code>Content-Security-Policy</code> HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. For example a page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Content Security Policy helps protect a page against a cross site scripting attack.</p>

<p>Prior to Firefox 23, the <code>X-Content-Security-Policy</code> HTTP header was used. Firefox 23 and later use the now-standard <code>Content-Security-Policy</code> header. During the transition from the previous header to the new header, sites can send both the <code>X-Content-Security-Policy</code> and <code>Content-Security-Policy</code> headers. In this situation, the <code>X-Content-Security-Policy</code> will be ignored and the policy contained in the <code>Content-Security-Policy</code> header will be used.</p>

<h2 id="Specifying_your_policy">Specifying your policy</h2>

<p>You can use the <code>Content-Security-Policy</code> HTTP&nbsp;header to specify your policy, like this:</p>

<pre>
Content-Security-Policy: <em>policy</em>
</pre>

<p>The policy is a string containing the <a href="/en/Security/CSP/CSP_policy_directives" title="en/Security/CSP/CSP policy directives">policy directives</a> describing your Content Security Policy.</p>

<h2 id="Writing_a_policy">Writing a policy</h2>

<p>A policy is described using a series of <a href="/en/Security/CSP/CSP_policy_directives" title="en/Security/CSP/CSP policy directives">policy directives</a>, each of which describes the policy for a certain resource type or policy area. Your policy should include a&nbsp;<code>default-src</code>&nbsp;policy directive, which is a fallback for other resource types when they don't have policies of their own. (For a complete list, see the <a href="/en-US/docs/Web/Security/CSP/CSP_policy_directives#default-src">description of the default-src directive</a>.) A policy needs to include a default-src or script-src directive to prevent&nbsp;inline scripts from running, as well as blocking the use of <code>eval()</code>. A policy needs to include a <code>default-src</code> or <code>style-src</code> directive to restrict inline styles from being applied from a <code>&lt;style&gt;</code> element or a <code>.style attribute</code></p>

<p>The syntax for a policy is a string of semicolon-separated directives, each following the syntax described in <a href="/en/Security/CSP/CSP_policy_directives#Supported_policy_directives" title="en/Security/CSP/CSP policy directives#Supported policy directives">Supported policy directives</a>.</p>

<h2 id="Examples.3A_Common_use_cases">Examples:&nbsp;Common use cases</h2>

<p>This section provides examples of some common security policy scenarios.</p>

<h3 id="Example_1">Example 1</h3>

<p>A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)</p>

<pre>
Content-Security-Policy: default-src 'self'
</pre>

<h3 id="Example_2">Example 2</h3>

<p>A&nbsp;web site administrator wants to allow content from a trusted origin (including the domain and all its subdomains.)</p>

<pre>
Content-Security-Policy: default-src 'self' *.trusted.com
</pre>

<h3 id="Example_3">Example 3</h3>

<p>A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to&nbsp;trusted providers, and all scripts only to a specific server that hosts trusted code.</p>

<pre>
Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
</pre>

<p>Here, by default, content is only permitted from the document's origin, with the following exceptions:</p>

<ul>
 <li>Images may loaded from anywhere (note the "*" wildcard).</li>
 <li>Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).</li>
 <li>Executable script is only allowed from userscripts.example.com.</li>
</ul>

<h3 id="Example_4">Example 4</h3>

<p>A web site administrator for an online banking site wants to ensure that all its content is loaded using&nbsp;SSL, in order to prevent attackers from eavesdropping on requests.</p>

<pre>
Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
</pre>

<p>The server only permits access to documents being loaded specifically over HTTPS through the single origin onlinebanking.jumbobank.com.</p>

<h3 id="Example_5">Example 5</h3>

<p>A web site administrator of a web mail site wants to allow HTML&nbsp;in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.</p>

<pre>
Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *
</pre>

<p>Note that this example doesn't specify a <a href="/en/Security/CSP/CSP_policy_directives#script-src" title="en/Security/CSP/CSP policy directives#script-src"><code>script-src</code></a>; with the example CSP, this site uses the setting specified by the <a href="/en/Security/CSP/CSP_policy_directives#allow" title="en/Security/CSP/CSP policy directives#allow"><code>default-src</code></a> directive, which means that scripts can be loaded only from the originating server.</p>

<h2 id="Testing_your_policy">Testing your policy</h2>

<p>To ease deployment, CSP can be deployed in <a class="link-https" href="http://www.w3.org/TR/CSP/#content-security-policy-report-only-header-field" title="https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-unofficial-draft-20110315.html#report-only-mode">"report-only" mode</a>. The policy is not enforced, but any violations are reported to a provided URI. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.</p>

<p>You can use the <code>Content-Security-Policy-Report-Only</code> HTTP&nbsp;header to specify your policy, like this:</p>

<pre>
Content-Security-Policy-Report-Only: <em>policy</em> 
</pre>

<p>If both a <code>Content-Security-Policy-Report-Only</code> header and a <code>Content-Security-Policy</code> header are present in the same response, both policies are honored. The policy specified in <code>Content-Security-Policy</code> headers is enforced while the <code>Content-Security-Policy-Report-Only</code> policy generates reports but is not enforced.</p>

<p>Note that the <code>X-Content-Security-Policy-Report-Only</code> header was used before Firefox 23. If both the <code>X-Content-Security-Policy-Report-Only</code> and <code>Content-Security-Policy-Report-Only</code> are sent, the <code>Content-Security-Policy-Report-Only</code> will be used and the <code>X-Content-Security-Policy-Report-Only</code> will be ignored.</p>

<p>The <a href="https://addons.mozilla.org/en-us/firefox/addon/newusercspdesign/" title="https://addons.mozilla.org/en-us/firefox/addon/newusercspdesign/">UserCSP Addon</a> also helps test and develop Content Security Policies for a site.</p>

<h2 id="See_also">See also</h2>

<ul>
 <li><a href="/en/Security/CSP/Introducing_Content_Security_Policy" title="en/Security/CSP/Introducing Content Security Policy">Introducing Content Security Policy</a></li>
 <li><a href="/en/Security/CSP/CSP_policy_directives" title="en/Security/CSP/CSP policy directives">CSP&nbsp;policy directives</a></li>
 <li><a href="/en/Security/CSP/Using_CSP_violation_reports" title="en/Security/CSP/Using CSP violation reports">Using CSP violation reports</a></li>
 <li><a class="external" href="http://brandon.sternefamily.net/posts/2010/10/content-security-policy-recommendation-bookmarklet/" title="http://brandon.sternefamily.net/posts/2010/10/content-security-policy-recommendation-bookmarklet/">Content Security Policy recommendation bookmarklet</a></li>
</ul>

<div class="noinclude">
<p>{{ languages( { "ja": "ja/Security/CSP/Using_Content_Security_Policy" } ) }}</p>
</div>

<p>&nbsp;</p>