Additional security layer that helps prevent and mitigate some types of attacks, including Cross Site Scripting.
All configurable directives can be filled according to specification https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources
Configurable Properties
The default-src directive serves as a fallback for the other CSP directives. For each missing directive, the user agent looks up the directive and uses its value.
Name |
DirectiveDefault_Src |
Code |
DEFAULT_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive specifies valid sources for style sheets. If this directive is absent, the user agent will look for the default-src directive. One or more sources are allowed for the style-src directive.
Name |
DirectiveStyle_Src |
Code |
STYLE_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive specifies valid sources for the loaded text fonts. If this directive is absent, the user agent will look for the default-src directive. One or more sources are allowed for the font-src directive.
Name |
DirectiveFont_Src |
Code |
FONT_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive specifies valid JavaScript sources. If this directive is absent, the user agent will look for the default-src directive. One or more sources are allowed for the
script-src directive.
Name |
DirectiveScript_Src |
Code |
SCRIPT_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive specifies valid image sources. If this directive is absent, the user agent will look for the default-src directive. One or more sources are allowed for the
img-src directive.
Name |
DirectiveImg_Src |
Code |
IMG_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
data |
The directive specifies valid sources for loading nested browsing contexts using elements like <frame> and <iframe>. One or more sources are allowed for the frame-src directive.
Name |
DirectiveFrame_Src |
Code |
FRAME_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive specifies valid sites that can embed the Deyel portal using <frame>, <iframe>, <object>, <embed> o <applet>. It differs from the frame-src directive as the latter specifies where iframes can be loaded from in the Deyel portal. One or more sources are allowed for the frame-ancestor-src directive.
Name |
DirectiveFrame_ancestors_Src |
Code |
FRAME_ANCESTORS_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
|
The directive determines the URLs that can be used from Deyel as destination in the <form> tags of HTML. One or more sources are allowed for the form-action-src directive.
Name |
DirectiveForm_action_Src |
Code |
FORM_ACTION_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value |
*.google.com |
The directive determines the URLs that can be loaded via script interfaces. The APIs not allowed in the directive are: <a> ping, fetch(), XMLHttpRequest, WebSocket,EventSource and Navigator.sendBeacon(). If this directive is absent, the user agent will look for the default-src directive. One or more sources are allowed for the connect-src directive.
Name |
DirectiveConnect_Src |
Code |
CONNECT_SRC |
Configuration Levels |
|
•Installation |
|
•Application |
|
•Organizational Unit |
|
•User |
|
Dynamic |
|
Encrypted |
|
Default Value
|
https://www.cloudflare.com/cdn-cgi/trace data |
