{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}}:
connect
-src
directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are:
- {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},
- {{domxref("Fetch")}},
- {{domxref("XMLHttpRequest")}},
- {{domxref("WebSocket")}}, and
- {{domxref("EventSource")}}.
CSP version | 1 |
---|---|
Directive type | {{Glossary("Fetch directive")}} |
{{CSP("default-src")}} fallback | Yes. If this directive is absent, the user agent will look for the default-src directive. |
Syntax
One or more sources can be allowed for the connect-src policy:
Content-Security-Policy: connect-src <source>; Content-Security-Policy: connect-src <source> <source>;
Sources
{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Examples
Violation cases
Given this CSP header:
Content-Security-Policy: connect-src https://example.com/
The following connections are blocked and won't load:
<a ping="https://not-example.com"> <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://not-example.com/'); xhr.send(); var ws = new WebSocket("https://not-example.com/"); var es = new EventSource("https://not-example.com/"); navigator.sendBeacon("https://not-example.com/", { ... }); </script>
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("CSP 3.0", "#directive-connect-src", "connect-src")}} | {{Spec2('CSP 3.0')}} | No changes. |
{{specName("CSP 1.1", "#directive-connect-src", "connect-src")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat("http/headers/content-security-policy", "connect-src")}}
Compatibility notes
- Prior to Firefox 23,
xhr-src
was used in place of theconnect-src
directive and only restricted the use of {{domxref("XMLHttpRequest")}}.
See also
- {{HTTPHeader("Content-Security-Policy")}}
- {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}
- {{domxref("Fetch")}}
- {{domxref("XMLHttpRequest")}}
- {{domxref("WebSocket")}}
- {{domxref("EventSource")}}