Changes

;allow:

* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives. Defines the default policy for un-specified content types, except for <tt>frame-ancestors</tt>, which MUST be enforced as "*" when not explicitly stated.

* User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives.

;img-src:

* Indicates which sources are valid for images and favicons.

* User Agents MUST subject image requests to the allow directive if img-src is not explicitly specified.

;media-src:

* Indicates which sources are valid for <tt>audio</tt> and <tt>video</tt> elements.

* User Agents MUST subject audio and video requests to the allow directive if media-src is not explicitly specified.

* Indicates which sources are valid for scripts.

* Regulates which scripts can be loaded via the <tt>src=</tt> attribute.

* User Agents MUST subject script requests to the allow directive if script-src is not explicitly specified.

;object-src:

* Indicates which sources are valid for <tt>object</tt>, <tt>embed</tt>, and <tt>applet</tt> elements.

* User Agents MUST subject object, embed, and applet requests to the allow directive if object-src is not explicitly specified.

;frame-src:

* Indicates which sources are valid for <tt>frame</tt> and <tt>iframe</tt> elements.

* User Agents MUST subject frame requests to the allow directive if frame-src is not explicitly specified.

;font-src:

* Indicates which sources are valid for <tt>@font-src</tt> CSS loads.

* User Agents MUST subject requests caused by <tt>@font-src</tt> to the allow directive if font-src is not explicitly specified.

;xhr-src:

* Indicates which sources are valid for <tt>XMLHttpRequest</tt> connections.

* User Agents MUST subject requests caused by <tt>XMLHttpRequest</tt> to the allow directive if xhr-src is not explicitly specified.

* All web pages that are ancestors of the protected content must be indicated by the value of this directive. For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.

* Answers the question: "Which sites may embed this resource?"

* User Agents MUST always render the protected document if frame-ancestors is not explicitly specified.

* Note that this directive addresses the [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html clickjacking] threat, but not [http://www.cgisecurity.com/articles/csrf-faq.shtml CSRF]

* Indicates which sources are valid for externally linked stylesheets.

* User Agents MUST always allow inline stylesheets and style attributes of HTML tags.

* User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified.

* User Agents MUST send violation reports to any acceptable URIs in this directive. Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.

* User Agents MUST ignore report URIs that don't match the public suffix and base host match requirements. User Agents SHOULD log one error to an error console. User Agents MUST then continue CSP enforcement as if the report URI were not specified.

;policy-uri: