Place the directives in the content attribute value.Set the value of the http-equiv attribute to Content-Security-Policy.Use single quotes around each hash.įor a Content Security Policy Level 2 browser support matrix, see Can I use: Content Security Policy Level 2. Copy the hashes provided by the browser to the script-src sources.The browser calculates and displays hashes for blocked scripts when a CSP header or meta tag is present. Access the browser's developer tools console while running the app locally.Apply the CSP shown in the Apply the policy section.To obtain SHA hashes for additional inline scripts: The preceding directives are supported by all browsers except Microsoft Internet Explorer. upgrade-insecure-requests: Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.Specify unsafe-inline to allow the use of inline styles.Specify the host source for Bootstrap stylesheets.style-src: Indicates valid sources for stylesheets.In a Blazor Server app, specify hashes to permit required scripts to load.
script-src: Indicates valid sources for scripts.object-src: Indicates valid sources for the, , and tags.Specify https: to permit loading images from HTTPS endpoints.Specify data: to permit loading images from data: URLs.img-src: Indicates valid sources for images.Specify self to indicate that the app's origin, including the scheme and port number, is a valid source. default-src: Indicates a fallback for source directives that aren't explicitly specified by the policy.block-all-mixed-content: Prevents loading mixed HTTP and HTTPS content.base-uri: Restricts the URLs for a page's tag.The following directives are used in the Apply the policy section of this article, where example security policies for Blazor WebAssembly and Blazor Server are provided: Add additional directives and sources as needed. Minimally, specify the following directives and sources for Blazor apps. When a page contains a tag with a third-party origin in the src attribute, the browser prevents the script from loading.ĬSP is supported in most modern desktop and mobile browsers, including Chrome, Edge, Firefox, Opera, and Safari. For example, consider a policy that doesn't allow third-party scripts.
When policy directives aren't met for a resource, the browser doesn't load the resource. The browser inspects the page's sources and determines if they meet the requirements of the content security directives. Policies are evaluated by the browser while a page is loading.
Hipchat desktop app caches img src code#
For guidance on applying a CSP to an app in C# code at startup, see ASP.NET Core Blazor Startup. To apply a CSP to an app, the developer specifies several CSP content security directives in one or more Content-Security-Policy headers or tags.