.ContentSecurityPolicy file is used to enforce the maximum level of
Content-Security-Policy rules a website may set on responses.
It is also used to document these settings. When you provide a package for others to install, they will be prompted to accept these Content-Security-Policy rules upon installing the package. (Warning: currently, package updates silently allow everything.)
Note that some engines automatically pick up the rules defined in the
.ContentSecurityPolicy file at runtime while others do not.
In the latter case, you need to set them on the response file’s
content-security-policy string attribute when generating the response.
You don’t need to set a file type on the
As for the
.ContentSecurityPolicy file’s body, you can use the simple format
or the fully defined format.
Just list each domain you want to allow on a new line. For example:
This will enable all kinds of communication with the given providers.
Valid values are:
foo.com http://foo.com https://foo.com
WARNING: using the simple rule is simple, but it makes the HTTP headers bloated. Only use the simple format for prototyping, and go with the fully defined format in production.
Use any valid Content-Security-Policy rules.
For example, the simple format rule
www.youtube.com is equivalent to the
fully defined rule:
default-src www.youtube.com script-src www.youtube.com style-src www.youtube.com img-src www.youtube.com connect-src www.youtube.com font-src www.youtube.com object-src www.youtube.com media-src www.youtube.com child-src www.youtube.com form-action www.youtube.com frame-ancestors www.youtube.com
You can also use the semicolon separated representation:
default-src www.youtube.com; script-src www.youtube.com; style-src www.youtube.com; img-src www.youtube.com; connect-src www.youtube.com; font-src www.youtube.com; object-src www.youtube.com; media-src www.youtube.com; child-src www.youtube.com; form-action www.youtube.com; frame-ancestors www.youtube.com
Valid directive values are the same as for the simple format, plus you can use
sha256-* nonce form where applicable.
Note that simply installing a package won’t add any Content-Security-Policy headers to your HTTP responses, unless it is actually used on the visited page. For example, if you install a YouTube video player, the HTTP headers will only include rules to allow communication with YouTube if the very page the user is visiting actually contains a YouTube video player. Other pages will not.