diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md index fbd3191794f188f..bdd7abd71b6eca8 100644 --- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md @@ -33,16 +33,19 @@ Content-Security-Policy: base-uri 'none'; Content-Security-Policy: base-uri ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no base URI may be set using a `` element -- a list of _source expression_ values, meaning that a `` element may set a base URI if it matches any of the given source expressions. +- `'none'` + - : No base URI may be set using a `` element. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: + - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions. -- `` -- `` -- the keyword value `'self'`. + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: + + - `` + - `` + - the keyword value `'self'`. ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.md b/files/en-us/web/http/headers/content-security-policy/child-src/index.md index 564e58cc5b88b34..ac046bad98a8146 100644 --- a/files/en-us/web/http/headers/content-security-policy/child-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/child-src/index.md @@ -40,12 +40,15 @@ Content-Security-Policy: child-src 'none'; Content-Security-Policy: child-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md index 26cc96d0a2c5af7..04d2a0408038dc5 100644 --- a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md @@ -9,14 +9,14 @@ browser-compat: http.headers.Content-Security-Policy.connect-src The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`connect-src`** directive restricts the URLs which can be -loaded using script interfaces. The APIs that are restricted are: +loaded using script interfaces. The following APIs are controlled by this directive: -- {{HTMLElement("a")}} [`ping`](/en-US/docs/Web/HTML/Element/a#ping), -- {{domxref("Window/fetch", "fetch()")}}, -- {{domxref("XMLHttpRequest")}}, -- {{domxref("WebSocket")}}, -- {{domxref("EventSource")}}, and -- {{domxref("Navigator.sendBeacon()")}}. +- The [`ping`](/en-US/docs/Web/HTML/Element/a#ping) attribute in {{htmlelement("a")}} elements +- {{domxref("Window/fetch", "fetch()")}} +- {{domxref("XMLHttpRequest")}} +- {{domxref("WebSocket")}} +- {{domxref("EventSource")}} +- {{domxref("Navigator.sendBeacon()")}} > **Note:** `connect-src 'self'` does not resolve to websocket > schemes in all browsers, more info in this [issue](https://github.com/w3c/webappsec-csp/issues/7). @@ -48,12 +48,15 @@ Content-Security-Policy: connect-src 'none'; Content-Security-Policy: connect-src ; ``` -This directive may have either: +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md index e5a55b5107e20af..89e20088b45c002 100644 --- a/files/en-us/web/http/headers/content-security-policy/default-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/default-src/index.md @@ -46,12 +46,15 @@ Content-Security-Policy: default-src 'none'; Content-Security-Policy: default-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.md b/files/en-us/web/http/headers/content-security-policy/font-src/index.md index a862bc65d41d850..f9e3a4204578ef0 100644 --- a/files/en-us/web/http/headers/content-security-policy/font-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/font-src/index.md @@ -38,12 +38,15 @@ Content-Security-Policy: font-src 'none'; Content-Security-Policy: font-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md index e8a86e67f33a63f..46fd83f56328f9b 100644 --- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md +++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md @@ -36,16 +36,19 @@ Content-Security-Policy: form-action 'none'; Content-Security-Policy: form-action ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no form submissions may be made -- a list of _source expression_ values, meaning that form submissions may be made to URLs that match any of the given source expressions. +- `'none'` + - : No form submissions may be made. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`: + - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions. -- `` -- `` -- the keyword value `'self'`. + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`: + + - `` + - `` + - the keyword value `'self'`. ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md index 35d6fffe0268aad..9fdc2fb09fc87bb 100644 --- a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md @@ -43,12 +43,15 @@ Content-Security-Policy: frame-src 'none'; Content-Security-Policy: frame-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.md b/files/en-us/web/http/headers/content-security-policy/img-src/index.md index a0675410425a9f2..48747be59af919a 100644 --- a/files/en-us/web/http/headers/content-security-policy/img-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/img-src/index.md @@ -36,12 +36,15 @@ Content-Security-Policy: img-src 'none'; Content-Security-Policy: img-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md index 3b1c2094311fcde..53630b66c4ad36e 100644 --- a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md @@ -39,12 +39,15 @@ Content-Security-Policy: manifest-src 'none'; Content-Security-Policy: manifest-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.md b/files/en-us/web/http/headers/content-security-policy/media-src/index.md index 4b1c941a179dbab..4a4a653044b0575 100644 --- a/files/en-us/web/http/headers/content-security-policy/media-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/media-src/index.md @@ -38,12 +38,15 @@ Content-Security-Policy: media-src 'none'; Content-Security-Policy: media-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.md b/files/en-us/web/http/headers/content-security-policy/object-src/index.md index 6daf3bfb07e6eb6..352b153352756ca 100644 --- a/files/en-us/web/http/headers/content-security-policy/object-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/object-src/index.md @@ -45,12 +45,15 @@ Content-Security-Policy: object-src 'none'; Content-Security-Policy: object-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md index 3bcc9cf00c2c7bc..797972671628c24 100644 --- a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md @@ -41,12 +41,15 @@ Content-Security-Policy: prefetch-src 'none'; Content-Security-Policy: prefetch-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Example diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md index ff1e5c5770032df..cc121edf4c82181 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md @@ -40,12 +40,15 @@ Content-Security-Policy: script-src-attr 'none'; Content-Security-Policy: script-src-attr ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). `script-src-attr` can be used in conjunction with {{CSP("script-src")}}, and will override that directive for checks on inline handlers: diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md index 5ba5ce17e35a12a..e470b788c93e07a 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md @@ -40,12 +40,15 @@ Content-Security-Policy: script-src-elem 'none'; Content-Security-Policy: script-src-elem ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). `script-src-elem` can be used in conjunction with {{CSP("script-src")}}: diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.md b/files/en-us/web/http/headers/content-security-policy/script-src/index.md index 0527db048bc9898..008539bce1dce6a 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src/index.md @@ -36,12 +36,15 @@ Content-Security-Policy: script-src 'none'; Content-Security-Policy: script-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md index 251f2a8bf599c42..a3c9a4d74c5bb32 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md @@ -41,12 +41,15 @@ Content-Security-Policy: style-src-attr 'none'; Content-Security-Policy: style-src-attr ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). `style-src-attr` can be used in conjunction with {{CSP("style-src")}}: diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md index df3f4e2509a90c7..cb62d937d765f46 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md @@ -40,12 +40,15 @@ Content-Security-Policy: style-src-elem 'none'; Content-Security-Policy: style-src-elem ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). `style-src-elem` can be used in conjunction with {{CSP("style-src")}}: diff --git a/files/en-us/web/http/headers/content-security-policy/style-src/index.md b/files/en-us/web/http/headers/content-security-policy/style-src/index.md index 829cd281be4d8c7..5b206952b69078e 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src/index.md @@ -36,12 +36,15 @@ Content-Security-Policy: style-src 'none'; Content-Security-Policy: style-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md index c943eb8399d1eec..031a87ce137daf6 100644 --- a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md @@ -44,12 +44,15 @@ Content-Security-Policy: worker-src 'none'; Content-Security-Policy: worker-src ; ``` -This directive may have either: +This directive may have one of the following values: -- the single keyword value `'none'`, meaning that no resources of this type may be loaded -- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples