Skip to content

Supported CSP directives

Page Shield policies support most Content Security Policy (CSP) directives, covering both monitored and unmonitored resources. You can use a policy to control other types of resources besides scripts and their connections, even though Page Shield is not monitoring these resources.

Each CSP directive can contain multiple values, including:

  • Schemes
  • Hostnames
  • URIs
  • Special keywords between single quotes (for example, 'none')
  • Hashes between single quotes (for example, 'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC')

Hostname and URI values support a * wildcard for the leftmost subdomain.

The following table lists the supported CSP directives and special values you can use in Page Shield policies:

DirectiveName in the dashboardSupported special valuesMonitored
script-srcScripts'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
Yes
connect-srcConnections'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
Yes
default-srcDefault'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
img-srcImages'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
style-srcStyles'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
font-srcFonts'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
object-srcObjects'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
media-srcMedia'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
child-srcChild'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
form-actionForm actions'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
worker-srcWorkers'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
base-uriBase URI'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
manifest-srcManifests'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
frame-srcFrames'none'
'self'
'unsafe-inline'
'unsafe-eval'
'<HASH>'
No
frame-ancestorsFrame ancestors'none'
'self'
No
upgrade-insecure-requestsUpgrade insecure requestsN/ANo

More resources

For more information on CSP directives and their values, refer to the following resources in the MDN documentation: