Compare Revisions
CSP: connect-src
Revision 1140259:
Revision 1140259 by fscholz on
Revision 1140965:
Revision 1140965 by fscholz on
- Title:
- Content-Security-Policy: connect-src
- Content-Security-Policy: connect-src
- Slug:
- Web/HTTP/Headers/Content-Security-Policy/connect-src
- Web/HTTP/Headers/Content-Security-Policy/connect-src
- Tags:
- "CSP" "Directive" "HTTP" "Reference" "Security"
- "CSP" "Directive" "HTTP" "Reference" "Security"
- Content:
-
Revision 1140259 Revision 1140965 n n 63 <h3> 64 Sources 65 </h3> n 64 <source> can be one of the following: n 67 {{page("Web/HTTP/Headers/Content-Security-Policy/default-sr > c", "Sources")}} n 66 <dl> n 67 <dt> 68 <host-source> 69 </dt> 70 <dd> 71 Internet hosts by name or IP address, as well as an optio > nal <a href="/en-US/docs/URIs_and_URLs">URL scheme</a> and/or por > t number. The site's address may include an optional leading wild > card (the asterisk character, <code>'*'</code>), and you may use > a wildcard (again, <code>'*'</code>) as the port number, indicati > ng that all legal ports are valid for the source.<br> 72 Examples: 73 <ul> 74 <li> 75 <code>http://*.example.com</code>: Matches all attemp > ts to load from any subdomain of example.com using the <code>http > :</code> URL scheme. 76 </li> 77 <li> 78 <code>mail.example.com:443</code>: Matches all attemp > ts to access port 443 on mail.example.com. 79 </li> 80 <li> 81 <code>https://store.example.com</code>: Matches all a > ttempts to access store.example.com using <code>https:</code>. 82 </li> 83 </ul> 84 </dd> 85 <dt> 86 <scheme-source> 87 </dt> 88 <dd> 89 A schema such as 'http:' or 'https:'. The colon is requir > ed. You can also specify data schemas (not recommended). 90 <ul> 91 <li>'<code>data:</code>' Allows <a href="/en-US/docs/We > b/HTTP/Basics_of_HTTP/Data_URIs"><code>data:</code> URIs</a> to b > e used as a content source. <em>This is insecure; an attacker can > also inject arbitrary data: URIs. Use this sparingly and definit > ely not for scripts.</em> 92 </li> 93 <li> 94 <code>'mediastream:'</code> Allows <a href="/en-US/do > cs/Web/API/MediaStream_API"><code>mediastream:</code> URIs</a> to > be used as a content source. 95 </li> 96 <li> 97 <code>'blob:'</code> Allows <a href="/en-US/docs/Web/ > API/Blob"><code>blob:</code> URIs</a> to be used as a content sou > rce. 98 </li> 99 <li> 100 <code>'filesystem:'</code> Allows <a href="/en-US/doc > s/Web/API/FileSystem"><code>filesystem:</code> URIs</a> to be use > d as a content source. 101 </li> 102 </ul> 103 </dd> 104 <dt> 105 <code>'self'</code> 106 </dt> 107 <dd> 108 Refers to the origin from which the protected document is > being served, including the same URL scheme and port number. You > must include the single quotes. Some browsers specifically exclu > de <code>blob</code> and <code>filesystem</code> from source dire > ctives. Sites needing to allow these content types can specify th > em using the Data attribute. 109 </dd> 110 <dt> 111 <code>'unsafe-inline'</code> 112 </dt> 113 <dd> 114 Allows the use of inline resources, such as inline {{HTML > Element("script")}} elements, <code>javascript:</code> URLs, inli > ne event handlers, and inline {{HTMLElement("style")}} elements. > You must include the single quotes. 115 </dd> 116 <dt> 117 <code>'unsafe-eval'</code> 118 </dt> 119 <dd> 120 Allows the use of <code>eval()</code> and similar methods > for creating code from strings. You must include the single quot > es. 121 </dd> 122 <dt> 123 <code>'none'</code> 124 </dt> 125 <dd> 126 Refers to the empty set; that is, no URLs match. The sing > le quotes are required. 127 </dd> 128 </dl> n 177 {{specName("CSP 3.0")}} n 117 {{specName("CSP 3.0", "#directive-connect-src", "conn > ect-src")}} n 188 {{specName("CSP 1.0")}} n 128 {{specName("CSP 1.1", "#directive-connect-src", "conn > ect-src")}} t 191 {{Spec2('CSP 1.0')}} t 131 {{Spec2('CSP 1.1')}}