|Directive type||Fetch directive|
||Yes. If this directive is absent, the user agent will look for the |
One or more sources can be allowed for the
Content-Security-Policy: manifest-src <source>; Content-Security-Policy: manifest-src <source> <source>;
<source> can be one of the following:
'*'), and you may use a wildcard (again,
'*') as the port number, indicating that all legal ports are valid for the source.
http://*.example.com: Matches all attempts to load from any subdomain of example.com using the
mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
https://store.example.com: Matches all attempts to access store.example.com using
*.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol.
https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
data:URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:URIs to be used as a content source.
blob:URIs to be used as a content source.
filesystem:URIs to be used as a content source.
filesystemfrom source directives. Sites needing to allow these content types can specify them using the Data attribute.
eval()and similar methods for creating code from strings. You must include the single quotes.
<style>elements. The single quotes are required.
'unsafe-inline'which could still be set for older browsers without nonce support.
script-srcfor external scripts.
Given this CSP header:
Content-Security-Policy: manifest-src https://example.com/
<link> is blocked and won't load:
<link rel="manifest" href="https://not-example.com/manifest">
|Content Security Policy Level 3 |
The definition of 'manifest-src' in that specification.
|Working Draft||Initial definition.|
© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.