The default-src directive specifies the security policy for types of content that are not specifically defined by their own directives. This includes:

• connect-src
• font-src
• frame-src
• img-src
• manifest-src
• media-src
• prefetch-src
• object-src
• script-src-elem
• script-src-attr
• style-src-elem
• style-src-attr
• worker-src

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.
• Unsafe Eval - Allows the use of methods such as eval() to interpret code from strings.

The script-src directive specifies valid sources for JavaScript. This directive falls back to default-src if not specified. When either script-src or default-src are present the use of inline script and eval() is blocked without the addition of Unsafe Inline and Unsafe Eval respectively.

If you'd like to use different sources for script elements (script requests, script blocks) and attributes, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.
• Unsafe Eval - Allows the use of methods such as eval() to interpret code from strings.

The script-src-elem directive specifies valid sources for JavaScript in script elements (script requests, script blocks). This directive falls back to script-src (which in turn falls back to default-src) if not specified. When present, the use of inline script and eval() is blocked without the addition of Unsafe Inline and Unsafe Eval respectively.

If you'd like to use different sources for all scripts or just for attributes, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.
• Unsafe Eval - Allows the use of methods such as eval() to interpret code from strings.

The script-src-attr directive specifies valid sources for JavaScript in attributes like inline handlers. This directive falls back to script-src (which in turn falls back to default-src) if not specified. When present, the use of inline script and eval() is blocked without the addition of Unsafe Inline and Unsafe Eval respectively.

If you'd like to use different sources for all scripts or just for script elements, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.
• Unsafe Eval - Allows the use of methods such as eval() to interpret code from strings.

This will 'flatten' the script-src-elem and script-src-attr directives into the script-src directive, resulting in a simpler policy. Make sure you understand the impact this will have on your policy.

The style-src directive specifies valid sources for stylesheets. This directive falls back to default-src if not specified. When either style-src or default-src are present the use of inline <style> elements and HTML style attributes are disabled unless you specify Unsafe Inline.

If you'd like to use different sources for style elements and for inline attributes, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.

The style-src-elem directive specifies valid sources for stylesheets, except for styles defined in attributes. This directive falls back to style-src (which falls back to default-src in turn) if not specified. When present, the use of inline <style> elements and HTML style attributes are disabled unless you specify Unsafe Inline.

If you'd like to use different sources for all styles or just for style attributes, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.

The style-src-attr directive specifies valid sources for stylesheets in inline attributes. This directive falls back to style-src (which falls back to default-src in turn) if not specified. When present, the use of inline <style> elements and HTML style attributes are disabled unless you specify Unsafe Inline.

If you'd like to use different sources for all styles or just for style elements, use the respective section instead.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.
• Unsafe Inline - Allows the use of inline resources such as <script> and <style> elements.

This will 'flatten' the style-src-elem and style-src-attr directives into the style-src directive, resulting in a simpler policy. Make sure you understand the impact this will have on your policy.

The img-src directive specifies valid sources for images and favicons. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.

The font-src directive specifies valid sources for fonts loaded using @font-face. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.
• Data - Matches the data: URI as a content source.

The connect-src directive specifies valid sources for fetch, XMLHttpRequest, WebSocket and EventSource connections. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The media-src directive specifies valid sources for the <audio> and <video> elements. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The object-src directive specifies valid sources for the <object>, <embed> and <applet> elements. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The prefetch-src directive restricts the URLs from which resources may be prefetched or prerendered. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The child-src directive specifies valid sources for elements such as <frame> and <iframe>. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The frame-src directive specifies valid sources for elements such as <frame> and <iframe>. This directive falls back to child-src if not specified (which falls back to default-src in turn).

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The worker-src directive specifies valid sources for Worker, SharedWorker or ServiceWorker. This directive falls back to child-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The frame-ancestors directive specifies parents that may embed a page using elements such as <frame> and <iframe>. It replaces the X-Frame-Options header.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The form-action directive specifies locations that can be used for <form> submissions.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

This directive forces a user agent to load all assets over HTTPS, even if the URL specifies HTTP, when the page is loaded using HTTPS. It is ignored in a Report-Only policy.

• Enable - Activates the directive.

This directive prevents a user agent from loading any assets using HTTP when the page is loaded using HTTPS. It is ignored in a Report-Only policy.

• Enable - Activates the directive.

This directive ensures that a resource disowns its opener when navigated to.

• Enable - Activates the directive.

The sandbox directive applies restrictions to a page including the prevention of popups, plugins, scripts and enforcing a same-origin policy.

• Enable - This enables sandbox protection with all restrictions in place. Further values can be specified to disable particular restrictions.
• Allow Popups - Allows popups.
• Allow Top Navigation - Allows content to navigate and close their top-level browsing context.
• Allow Same Origin - Allows content to access other content from the same origin.
• Allow Forms - Allows form submissions.
• Allow Pointer Lock - Enables the Pointer Lock API.
• Allow Scripts - Allows script execution.

The base-uri directive specifies URIs that a user agent may use as the documents base URL for relative URIs.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - No URLs can be used in a <base> element.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The manifest-src directive specifies which manifest can be applied to the resource. This directive falls back to default-src if not specified.

Valid host expressions can include:

https://*.report-uri.com Matches all subdomains of report-uri.com using the HTTPS scheme but not report-uri.com itself.

www.report-uri.com:443 Matches www.report-uri.com only on port 443 using any scheme.

https://report-uri.com:* Matches any port on report-uri.com using HTTPS.

• None - Blocks the use of this resource type.
• All - Allows all origins for this resource.
• Self - Matches the current origin but not subdomains.

The plugin-type directive specifies the allowed plugins that the user agent may invoke.

The Report Only flag marks the CSP header in report only mode. The user agent will deliver violation reports but not enforce the policy. Used for testing purposes.

The report-uri directive specifies the URI that the user agent will POST a JSON formatted violation report to should the CSP be violated.

The report-to directive specifies a token that the user agent will use to lookup the reporting group in the report-to header.