Overview

This document describes the basic syntax and semantics for content security policies. This document does not describe any individual policy directives. The directives are defined in separate modules targeted at various threats. To learn about policy directives, please see the list of CSP modules.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax:

content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS
csp-policy              = csp-rule ["," csp-policy]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ",")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / "*" ["." host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The browser MUST ignore any X-Content-Security-Policy header fields occurring in an HTML meta tag or in the Trailer headers.  The semantics of these directives are described in the following section.

Semantics

yyy