Content Security Policy (CSP)
An example of a simple CSP header:
Content-Security-Policy: default-src 'self' example.com
This CSP header specifies that the browser may only reload resources from the following two domains:
- 'self': the domain under which the page is currently running.
- https://example.com/: Resources may also be reloaded from example.com.
Default-src' is used to specify the behavior for all possible sources. But it is possible to set different rules for loading images, stylesheets, fonts or script files:
Allow reloading of scripts from any subdomain of somecdn.com as well as your own domain (_self), allow inline scripts (scripts in <script> tags within the HTML DOM and allow scripts to call eval() )
Content-Security-Policy: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.somecdn.com;
Allow reloading images from any subdomain of ytimg.com as well as your own site:
Content-Security-Policy: img-src 'self' *.ytimg.com;
Allow iFrames from the domains cookiebot.com, youtube-nokookie.com and fonts.gstatic.com
Content security policy: frame-src 'self' *.cookiebot.com *.youtube-nocookie.com fonts.gstatic.com;
It is possible to set different policies for individual sources:
Content-Security-Policy: frame-src 'self' somedomain.com; script-src 'self' someotherdomain.com; font-src fonts.gstatic.com;
Apache and nginx differ slightly in syntax, but the principle is identical.