The HTTP Content-Security-Policy
(CSP) script
-src
directive specifies valid sources for sources for JavaScript. This includes not only URLs loaded directly into <script>
elements, but also things like inline script event handlers (onclick
) and XSLT stylesheets which can trigger script execution.
CSP version | 1 |
---|---|
Directive type | Fetch directive |
default-src fallback | Yes. If this directive is absent, the user agent will look for the default-src directive. |
One or more sources can be allowed for the script-src
policy:
Content-Security-Policy: script-src <source>; Content-Security-Policy: script-src <source> <source>;
<source> can be one of the following:
'*'
), and you may use a wildcard (again, '*'
) as the port number, indicating that all legal ports are valid for the source.http://*.example.com
: Matches all attempts to load from any subdomain of example.com using the http:
URL scheme.mail.example.com:443
: Matches all attempts to access port 443 on mail.example.com.https://store.example.com
: Matches all attempts to access store.example.com using https:
.data:
Allows data:
URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:
Allows mediastream:
URIs to be used as a content source.blob:
Allows blob:
URIs to be used as a content source.filesystem:
Allows filesystem:
URIs to be used as a content source.'self'
blob
and filesystem
from source directives. Sites needing to allow these content types can specify them using the Data attribute.'unsafe-inline'
<script>
elements, javascript:
URLs, inline event handlers, and inline <style>
elements. You must include the single quotes.'unsafe-eval'
eval()
and similar methods for creating code from strings. You must include the single quotes.'none'
strict-dynamic
source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self'
or 'unsafe-inline'
will be ignored. See script-src for an example.Given this CSP header:
Content-Security-Policy: script-src https://example.com/
the following script is blocked and won't be loaded or executed:
<script src="https//not-example.com/js/library.js"></script>
Note that inline event handlers are blocked as well:
<button id="btn" onclick="doSomething()">
You should replaced them with addEventListener
calls:
document.getElementById("btn").addEventListener('click', doSomething);
Note: Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. However, if you absolutely have to use it, there are a few mechanisms that will allow them.
To allow inline scripts and inline event handlers, 'unsafe-inline'
, a nonce-source or a hash-source that matches the inline block can be specified.
Content-Security-Policy: script-src 'unsafe-inline';
The above Content Security Policy will allow inline <script>
elements
<script type="text/javascript"> var inline = 1; </script>
You can use a nonce-source to only allow specific inline script blocks:
Content-Security-Policy: script-src 'nonce-2726c7f26c'
You will have to set the same nonce on the <script>
element:
<script type="text/javascript" nonce="2726c7f26c"> var inline = 1; </script>
Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.
Content-Security-Policy: script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'
When generating the hash, don't include the <script>
tags and note that capitalization and whitespace matter, including leading or trailing whitespace.
<script type="text/javascript">var inline = 1;</script>
The 'unsafe-eval'
source expression controls several script execution methods that create code from strings. If 'unsafe-eval'
isn't specified with the script-src
directive, the following methods are blocked and won't have any effect:
eval()
Function()
window.setTimeout("alert(\"Hello World!\");", 500);
window.execScript
(IE < 11 only)strict-dynamic
The 'strict-dynamic
' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self'
or 'unsafe-inline'
will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/
would allow loading of a root script with <script nonce="R4nd0m" src="https://example.com/loader.js">
and propogate that trust to any script loaded by loader.js
, but disallow loading scripts from https://whitelisted.com/
.
script-src 'strict-dynamic' 'nonce-someNonce'
Or
script-src 'strict-dynamic' 'sha256-hash'
It is possible to deploy strict-dynamic
in a backwards compatible way, without requiring user-agent sniffing.
The policy:
script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
will act like'unsafe-inline' https:
in browsers that support CSP1, https: 'nonce-abcdefg'
in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic'
in browsers that support CSP3.
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'script-src' in that specification. | Editor's Draft | No changes. |
Content Security Policy Level 2 The definition of 'script-src' in that specification. | Candidate Recommendation | Initial definition. |
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
---|---|---|---|---|---|---|---|
Basic Support | 25 | 14 | 23.0 | No support | 15 | 7 | ? |
Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|---|
Basic Support | 4.4 | (Yes) | ? | 23.0 | No support | ? | 7.1 |
© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src