# set a policy on a page directly in the markup
    <meta http-equiv="Content-Security-Policy" content="default-src; child-src 'none'; object-src 'none'">

    # all required resources of a specific type in a single directive
    script-src; script-src # wrong
    script-src # right

    # application that loads all of its resources from a content delivery network
    # (say,,
    # and know that you dont need framed content or any plugins at all
    Content-Security-Policy: default-src; child-src 'none'; object-src 'none'

    # including multiple widgets is straightforward
    # combine the policy directives, remembering to merge all resources of a single type
    # into a single directive
    script-src; child-src

    # bank loads all images, style, and script from a CDN at,
    # and connects via XHR to to pull various bits of data down
    # frames are used, but only for pages local to the site (no third-party origins)
    # there is no Flash on the site, no fonts, no nothing
    # most restrictive CSP header that we could send in this scenario is:
    Content-Security-Policy: default-src 'none'; script-src; style-src; img-src; connect-src; child-src 'self'

    # even though https: was specified in default-src,
    # the script and style directives dont automatically inherit that source
    # each directive overwrites the default completely for that specific type of resource
    Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'






Back to Main Page