|Directive type||Fetch directive|
Chrome 57 and higher skips the
One or more sources can be allowed for the
Content-Security-Policy: worker-src <source>; Content-Security-Policy: worker-src <source> <source>;
<source> can be one of the following:
'*'), and you may use a wildcard (again,
'*') as the port number, indicating that all legal ports are valid for the source.
http://*.example.com: Matches all attempts to load from any subdomain of example.com using the
mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
https://store.example.com: Matches all attempts to access store.example.com using
data:URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:URIs to be used as a content source.
blob:URIs to be used as a content source.
filesystem:URIs to be used as a content source.
filesystemfrom source directives. Sites needing to allow these content types can specify them using the Data attribute.
<style>elements. You must include the single quotes.
eval()and similar methods for creating code from strings. You must include the single quotes.
script-srcfor external scripts.
strict-dynamicsource expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as
'unsafe-inline'will be ignored. See script-src for an example.
Given this CSP header:
Content-Security-Policy: worker-src https://example.com/
|Content Security Policy Level 3 |
The definition of 'worker-src' in that specification.
|Editor's Draft||Initial definition.|
|Feature||Android webview||Chrome for Android||Edge mobile||Firefox for Android||IE mobile||Opera Android||iOS Safari|
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.