|Directive type||Fetch directive|
||Yes. If this directive is absent, the user agent will look for the |
One or more sources can be allowed for the
Content-Security-Policy: manifest-src <source>; Content-Security-Policy: manifest-src <source> <source>;
<source> can be one of the following:
'*'), and you may use a wildcard (again,
'*') as the port number, indicating that all legal ports are valid for the source.
http://*.example.com: Matches all attempts to load from any subdomain of example.com using the
mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
https://store.example.com: Matches all attempts to access store.example.com using
data:URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:URIs to be used as a content source.
blob:URIs to be used as a content source.
filesystem:URIs to be used as a content source.
filesystemfrom source directives. Sites needing to allow these content types can specify them using the Data attribute.
<style>elements. You must include the single quotes.
eval()and similar methods for creating code from strings. You must include the single quotes.
'unsafe-inline'which could still be set for older browsers without nonce support.
script-srcfor external scripts.
strict-dynamicsource expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as
'unsafe-inline'will be ignored. See script-src for an example.
Given this CSP header:
Content-Security-Policy: manifest-src https://example.com/
<link> is blocked and won't load:
<link rel="manifest" href="https://not-example.com/manifest">
|Content Security Policy Level 3 |
The definition of 'manifest-src' in that specification.
|Working Draft||Initial definition.|
|Android webview||Chrome for Android||Edge Mobile||Firefox for Android||Opera for Android||iOS Safari||Samsung Internet|
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.