Revision 1140965 of CSP: connect-src

  • Revision slug: Web/HTTP/Headers/Content-Security-Policy/connect-src
  • Revision title: Content-Security-Policy: connect-src
  • Revision id: 1140965
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are:

  • {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},
  • {{domxref("Fetch")}},
  • {{domxref("XMLHttpRequest")}},
  • {{domxref("WebSocket")}}, and
  • {{domxref("EventSource")}}.
CSP version 1
Directive type {{Glossary("Fetch directive")}}
{{CSP("default-src")}} fallback Yes. If this directive is absent, the user agent will look for the default-src directive.

Syntax

One or more sources can be allowed for the connect-src policy:

Content-Security-Policy: connect-src <source>;
Content-Security-Policy: connect-src <source> <source>;

Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}

Examples

Violation cases

Given this CSP header:

Content-Security-Policy: connect-src https://example.com/

This following connections are blocked and won't load:

<a ping="https://not-example.com">

<script>
  var xhr = new XMLHttpRequest(); 
  xhr.open('GET', 'https://not-example.com/'); 
  xhr.send();

  var ws = new WebSocket("https://not-example.com/");

  var es = new EventSource("https://not-example.com/"); 

  navigator.sendBeacon("https://not-example.com/", { ... });
</script>

Specifications

Specification Status Comment
{{specName("CSP 3.0", "#directive-connect-src", "connect-src")}} {{Spec2('CSP 3.0')}} No changes.
{{specName("CSP 1.1", "#directive-connect-src", "connect-src")}} {{Spec2('CSP 1.1')}} Initial definition.

Browser compatibility

{{Compat}}

Compatibility notes

  • Prior to Firefox 23, xhr-src was used in place of the connect-src directive and only restricted the use of {{domxref("XMLHttpRequest")}}.

See also

  • {{HTTPHeader("Content-Security-Policy")}}
  • {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}
  • {{domxref("Fetch")}}
  • {{domxref("XMLHttpRequest")}}
  • {{domxref("WebSocket")}}
  • {{domxref("EventSource")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} <code><strong>connect</strong></code><strong><code>-src</code></strong> directive restricts the&nbsp;URLs which can be loaded using script interfaces. The APIs that are restricted are:</p>

<ul>
 <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},</li>
 <li>{{domxref("Fetch")}},</li>
 <li>{{domxref("XMLHttpRequest")}},</li>
 <li>{{domxref("WebSocket")}}, and</li>
 <li>{{domxref("EventSource")}}.</li>
</ul>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">CSP version</th>
   <td>1</td>
  </tr>
  <tr>
   <th scope="row">Directive type</th>
   <td>{{Glossary("Fetch directive")}}</td>
  </tr>
  <tr>
   <th scope="row">{{CSP("default-src")}} fallback</th>
   <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<p>One or more sources can be allowed for the connect-src policy:</p>

<pre class="syntaxbox">
Content-Security-Policy: connect-src &lt;source&gt;;
Content-Security-Policy: connect-src &lt;source&gt; &lt;source&gt;;
</pre>

<h3>Sources</h3>

<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>

<h2 id="Examples">Examples</h2>

<h3 id="Violation_cases">Violation cases</h3>

<p>Given this CSP header:</p>

<pre class="brush: bash">
Content-Security-Policy: connect-src https://example.com/</pre>

<p>This following connections are blocked and won't load:</p>

<pre class="brush: html">
&lt;a ping="https://not-example.com"&gt;

&lt;script&gt;
  var xhr = new XMLHttpRequest(); 
  xhr.open('GET', 'https://not-example.com/'); 
  xhr.send();

  var ws = new WebSocket("https://not-example.com/");

  var es = new EventSource("https://not-example.com/"); 

  navigator.sendBeacon("https://not-example.com/", { ... });
&lt;/script&gt;</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0", "#directive-connect-src", "connect-src")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>No changes.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1", "#directive-connect-src", "connect-src")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="Compatibility_notes">Compatibility notes</h2>

<ul>
 <li>Prior to Firefox 23, <code>xhr-src</code> was used in place of the <code>connect-src</code> directive and only restricted the use of {{domxref("XMLHttpRequest")}}.</li>
</ul>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}</li>
 <li>{{domxref("Fetch")}}</li>
 <li>{{domxref("XMLHttpRequest")}}</li>
 <li>{{domxref("WebSocket")}}</li>
 <li>{{domxref("EventSource")}}</li>
</ul>
Revert to this revision