-to directive restricts the URLs to which a document can initiate navigations by any means including
form-action is not specified),
window.open, etc. This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to.
Note: If the
form-action directive is present, the
navigate-to directive will not act on navigations that are form submissions.
|Directive type||Navigation directive|
||No. Not setting this allows anything.|
One or more sources can be set for the
Content-Security-Policy: navigate-to <source>; Content-Security-Policy: navigate-to <source> <source>;
<source> can be one of the following:
'*'), and you may use a wildcard (again,
'*') as the port number, indicating that all legal ports are valid for the source.
http://*.example.com: Matches all attempts to load from any subdomain of example.com using the
mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
https://store.example.com: Matches all attempts to access store.example.com using
*.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol.
https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
data:URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:URIs to be used as a content source.
blob:URIs to be used as a content source.
filesystem:URIs to be used as a content source.
filesystemfrom source directives. Sites needing to allow these content types can specify them using the Data attribute.
eval()and similar methods for creating code from strings. You must include the single quotes.
<style>elements. The single quotes are required.
'unsafe-inline'which could still be set for older browsers without nonce support.
script-srcfor external scripts.
strict-dynamicsource expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as
'unsafe-inline'are ignored. See script-src for an example.
<meta http-equiv="Content-Security-Policy" content="navigate-to 'none'">
|Content Security Policy Level 3 |
The definition of 'navigate-to' in that specification.
|Working Draft||Initial definition.|
© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.