The .ContentSecurityPolicy file is used to enforce the maximum level of Content-Security-Policy rules a website may set on responses.

It is also used to document these settings. When you provide a package for others to install, they will be prompted to accept these Content-Security-Policy rules upon installing the package. (Warning: currently, package updates silently allow everything.)

Note that some engines automatically pick up the rules defined in the .ContentSecurityPolicy file at runtime while others do not. In the latter case, you need to set them on the response file’s content-security-policy string attribute when generating the response.


You don’t need to set a file type on the .ContentSecurityPolicy file.

As for the .ContentSecurityPolicy file’s body, you can use the simple format or the fully defined format.

Simple format

Just list each domain you want to allow on a new line. For example:


This will enable all kinds of communication with the given providers.

Valid values are:


WARNING: using the simple rule is simple, but it makes the HTTP headers bloated. Only use the simple format for prototyping, and go with the fully defined format in production.

Fully defined format

Use any valid Content-Security-Policy rules.

For example, the simple format rule www.youtube.com is equivalent to the fully defined rule:

default-src www.youtube.com
script-src www.youtube.com
style-src www.youtube.com
img-src www.youtube.com
connect-src www.youtube.com
font-src www.youtube.com
object-src www.youtube.com
media-src www.youtube.com
child-src www.youtube.com
form-action www.youtube.com
frame-ancestors www.youtube.com

You can also use the semicolon separated representation:

default-src www.youtube.com; script-src www.youtube.com; style-src www.youtube.com; img-src www.youtube.com; connect-src www.youtube.com; font-src www.youtube.com; object-src www.youtube.com; media-src www.youtube.com; child-src www.youtube.com; form-action www.youtube.com; frame-ancestors www.youtube.com

Valid directive values are the same as for the simple format, plus you can use the sha256-* nonce form where applicable.

Nonce example

script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='

On demand

Note that simply installing a package won’t add any Content-Security-Policy headers to your HTTP responses, unless it is actually used on the visited page. For example, if you install a YouTube video player, the HTTP headers will only include rules to allow communication with YouTube if the very page the user is visiting actually contains a YouTube video player. Other pages will not.