Header
|
Default Setting
|
Notes
|
||
---|---|---|---|---|
default-src
|
‘self’
|
Allows you to specify the default of fallback resources that can be loaded or fetched on the page, such as script-src, style-src, and so on.
|
||
connect-src
|
‘self’
|
Guards several browser mechanisms that can fetch HTTP requests. This includes XMLHttpRequest (XHR/AJAX), WebSocket, fetch(), <a ping>, or EventSource.
|
||
font-src
|
‘self’
|
Guards loading of fonts using @font-face.
|
||
frame-ancestors
|
‘self’
|
Allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive, you can allow or block a page from being placed within a frame or iframe.
If Clickjack Filtering was configured in web.xml and migration to CSP occurred, frame-ancestor is set to 'self' and the allow list is defined in Clickjack Filter.
|
||
frame-src
|
‘self’ tw-ra-client:
|
Controls loading of frames. For example, using an <iframe> HTML tag within an HTML document.
|
||
img-src
|
‘self’
|
Guards loading of images. For example, using an <img> HTML tag.
|
||
media-src
|
‘self’
|
Guards loading of audio and video. For example, HTML5 <audio> and <video> elements.
|
||
object-src
|
‘self’
|
Specifies the valid sources for the <object> and <embed> elements. This includes browser plugin features such as Flash, Java, and ActiveX controls.
|
||
script-src
|
‘self’ ‘unsafe-eval’ ‘unsafe-inline’
|
Guards the loading and execution of JavaScript.
|
||
style-src
|
‘self’ 'unsafe-inline’
|
Guards the loading and execution of CSS styles and stylesheets.
|
||
worker-src
|
‘self’
|
|
This note pertains to object-src.
Typically, when modifying a CSP directive, the default setting and the new setting(s) are combined so the value injected into the CSP header includes the default plus the new setting. For example, frame-ancestors defaults to 'self'. If you update the frame-ancestors configuration to include https://*.somedomain.com, then the final header value is 'self' ‘https://*.somedomain.com’.
To enable settings object-src to 'none', it behaves differently. Instead, the update replaces the default value when augmenting the default setting with the administrator's update. For example, the default setting for object-src is 'self'. If you update object-src to https://*.somedomain.com, the directive sent to CSP will only be https://*.somedomain.com. If you want 'self' included, you must explicitly configure object-src to ‘https://*.somedomain.com' 'self’. If your object-src configuration includes 'none', it will override any other settings. Therefore, 'self' 'none' is effectively 'none'.
|