The Content Security Policy (CSP) is a set of directives that inform the user's browser of locations from which an application is allowed to load resources. These locations are provided in the form of URL schemes, including the use of an asterisk (*) to represent all URLs. Each directive governs a specific resource type that affects what is displayed in a browser. Collectively, the directives are sent to the client in the Content-Security-Policy HTTP header. Each browser type and version obey as much of the policy as they can. If a browser does not understand a directive, it is ignored; otherwise it is explicitly followed.
Special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of any URL and must be explicitly listed. Policy authors should note that the content of such URLs may be unsafe, because it is often derived from a response body or an execution in a Document context, which might be unsafe.
To access the Content Security Policies in an application, do one of the following actions:
Content Security Policy rules are instances of the Rule-Access-CSP class. They belong to the Security category.
The Content Security Policies form displays the following tabs that provide configuration options for what to display in a browser: