Compare Revisions
CSP: form-action
Revision 1139279:
Revision 1139279 by fscholz on
Revision 1140969:
Revision 1140969 by fscholz on
- Title:
- Content-Security-Policy: form-action
- Content-Security-Policy: form-action
- Slug:
- Web/HTTP/Headers/Content-Security-Policy/form-action
- Web/HTTP/Headers/Content-Security-Policy/form-action
- Tags:
- "CSP" "Directive" "HTTP" "Security"
- "CSP" "Directive" "HTTP" "Security"
- Comment:
- new page
- Content:
-
Revision 1139279 Revision 1140969 n n 51 <h3> 52 Sources 53 </h3> n 52 <source> can be one of the following: n 55 {{page("Web/HTTP/Headers/Content-Security-Policy/default-sr > c", "Sources")}} n 54 <dl> n 55 <dt> 56 <host-source> 57 </dt> 58 <dd> 59 Internet hosts by name or IP address, as well as an optio > nal <a href="/en-US/docs/URIs_and_URLs">URL scheme</a> and/or por > t number. The site's address may include an optional leading wild > card (the asterisk character, <code>'*'</code>), and you may use > a wildcard (again, <code>'*'</code>) as the port number, indicati > ng that all legal ports are valid for the source.<br> 60 Examples: 61 <ul> 62 <li> 63 <code>http://*.example.com</code>: Matches all attemp > ts to load from any subdomain of example.com using the <code>http > :</code> URL scheme. 64 </li> 65 <li> 66 <code>mail.example.com:443</code>: Matches all attemp > ts to access port 443 on mail.example.com. 67 </li> 68 <li> 69 <code>https://store.example.com</code>: Matches all a > ttempts to access store.example.com using <code>https:</code>. 70 </li> 71 </ul> 72 </dd> 73 <dt> 74 <scheme-source> 75 </dt> 76 <dd> 77 A schema such as 'http:' or 'https:'. The colon is requir > ed. 78 </dd> 79 <dt> 80 <code>'self'</code> 81 </dt> 82 <dd> 83 Refers to the origin from which the protected document is > being served, including the same URL scheme and port number. You > must include the single quotes. Some browsers specifically exclu > de <code>blob</code> and <code>filesystem</code> from source dire > ctives. Sites needing to allow these content types can specify th > em using the Data attribute. 84 </dd> 85 <dt> 86 <code>'unsafe-inline'</code> 87 </dt> 88 <dd> 89 Allows the use of inline resources, such as inline {{HTML > Element("script")}} elements, <code>javascript:</code> URLs, inli > ne event handlers, and inline {{HTMLElement("style")}} elements. > You must include the single quotes. 90 </dd> 91 <dt> 92 <code>'unsafe-eval'</code> 93 </dt> 94 <dd> 95 Allows the use of <code>eval()</code> and similar methods > for creating code from strings. You must include the single quot > es. 96 </dd> 97 <dt> 98 <code>'none'</code> 99 </dt> 100 <dd> 101 Refers to the empty set; that is, no URLs match. The sing > le quotes are required. 102 </dd> 103 </dl> n 162 {{specName("CSP 3.0")}} n 115 {{specName("CSP 3.0", "#directive-form-action", "form > -action")}} t 173 {{specName("CSP 1.1")}} t 126 {{specName("CSP 1.1", "#directive-form-action", "form > -action")}}