connect-src
, script-src
, etc.)https://privy.your-base-domain.com
.child-src
frame-src
connect-src
script-src
frame-src
: https://oauth.telegram.org (Telegram OAuth domain)script-src
: https://telegram.org (Telegram login domain)connect-src
:
connect-src
:
Content-Security-Policy-Report-Only
header, which sends violation reports without actually enforcing policies. This allows the developer to judge whether a modification to their CSP will impact their site’s expected functionality.
If your policy is strict, you will see many reported violations due to extensions trying to inject scripts into the browser. This is completely normal. It’s best to filter these out to avoid the noise.
report-only
mode with the header Content-Security-Policy-Report-Only
. Once it has been validated in production, you can migrate to Content-Security-Policy
, which will enforce directive violations.
Going forward, you can deploy with both Content-Security-Policy-Report-Only
and Content-Security-Policy
headers set simultaneously. This will allow you to test on the report only header and A/B test against your existing policy.
report-uri
to see violation/enforcement reports and set up a monitoring dashboard so you can review reports.
Content-Security-Policy
HTTP header. In that header, you specify a policy. A policy is described using a set of policy directives, each of which tells the browser what to do with respect to a given resource type.
img-src
directiveimg-src
directive tells the browser sources of images are valid.
If you set this CSP header:
<img>
from other sites will be blocked:
script-src
as locked down as possible to prevent malicious code executionframe-ancestors
to none
unless you expect your website to be embeddedconnect-src
as locked down as possible to prevent unauthorized data exfiltrationchild-src
and frame-src
to control iframe loading and executionworker-src
if using web workersdefault-src
as a fallback for unlisted directives