This document describes the basic syntax and semantics for content security policies. This document does not describe any individual policy directives. The directives are defined in separate modules targeted at various threats. To learn about policy directives, please see the list of CSP modules.
An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy. The general X-Content-Security-Policy header as the following syntax:
content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS csp-policy = csp-rule ["," csp-policy] csp-rule = future-rule / known-rule future-rule = (anything but ",") known-rule = *SP directive [ 1*SP origin-list ] *SP directive = (see individual modules) origin-list = origin-descriptor [ 1*SP origin-list] origin-descriptor = "none" / "self" / "*" / [scheme "://"] host-descriptor host-descriptor = qualified-host-name / "*" ["." host-name ] qualified-host-name = dns-label "." host-name host-name = dns-label ["." host-name]
The browser MUST ignore any X-Content-Security-Policy header fields occurring in an HTML meta tag or in the Trailer headers. The syntax and semantics of the directives are described in the individual modules.
The origin-list production defines a set of URLs, which the directive can use for some purpose. The origin-list denotes the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
- "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
- "none" denotes the empty set of URLs.
- "*" denotes the set of all URLs.
Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:
example.com *.example.org https://example.net http://*.foo.example.com
If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page. If the descriptor contains a *, then the star matches zero or more subdomains. For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org. The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor. Notice that in all cases the origin-list ignores port numbers for simplicity.
A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.