canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
Jump to navigation
Jump to search
m
→policy-uri
m (→policy-uri) |
|||
| Line 284: | Line 284: | ||
===policy-uri=== | ===policy-uri=== | ||
* Indicates the location of a file containing the security policies for the protected resource. | * Indicates the location of a file containing the security policies for the protected resource. | ||
* <tt>policy-uri</tt> should only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header. If <tt>policy-uri</tt> is defined among other directives in the header, a [[Security/CSP#Error_Handling|console error]] is raised and the policy enforced by CSP is the most restrictive policy: "allow none". | * <tt>policy-uri</tt> should only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header. If <tt>policy-uri</tt> is defined among other directives in the header, a [[Security/CSP#Error_Handling|console error]] is raised and the policy enforced by CSP is the most restrictive policy: "allow 'none'". | ||
* Policy URIs must be of the same origin (scheme/host/port) as the protected content. Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP. | * Policy URIs must be of the same origin (scheme/host/port) as the protected content. Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP. | ||