This document describes the basic syntax and semantics for content security policies. This document does not describe any individual policy directives. The directives are defined in separate modules targeted at various threats. To learn about policy directives, please see the list of CSP modules.

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax:

content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS
csp-policy              = csp-rule ["," csp-policy]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ",")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / "*" ["." host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

yyy