Changes

User Agents MUST activate CSP is activated by and enforce it for a client's browser document when the <tt>X-Content-Security-Policy</tt> HTTP header is provided in a its HTTP response. The Content Security Policy to be enforced can be delivered to User Agents MUST parse AND begin enforcing the browser in one policy before any of two ways: directly as the value in the <tt>X-Content-Security-Policy</tt> HTTP header or a file served from the same host as the resource to be secured. The <tt>X-Content-Security-Policy</tt> header must either contain a policy definition <i>or</i> a <tt>policy-uri</tt> field; if both are present, the browser will raise a [[Security/CSP/Spec#Error_Handling|CSP console error]] and enforce the most restrictive ("allow none") policy. The syntax protected content is identical between file-based and header-based policy. The contents of a policy file are equivalent to the value of the X-Content-Security-Policy headerparsed.