Documentation

ContentSecurityPolicy extends BaseConfig
in package

Stores the default settings for the ContentSecurityPolicy, if you choose to use it. The values here will be read in and set as defaults for the site. If needed, they can be overridden on a page-by-page basis.

Suggested reference for explanations:

Tags
see
https://www.html5rocks.com/en/tutorials/security/content-security-policy/

Table of Contents

Properties

$autoNonce  : bool
Replace nonce tag automatically
$baseURI  : array<int, string>|string|null
Restricts the URLs that can appear in a page's `<base>` element.
$childSrc  : array<int, string>|string
Lists the URLs for workers and embedded frame contents
$connectSrc  : array<int, string>|string
Limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
$defaultSrc  : array<int, string>|string|null
Will default to self if not overridden
$fontSrc  : array<int, string>|string
Specifies the origins that can serve web fonts.
$formAction  : array<int, string>|string
Lists valid endpoints for submission from `<form>` tags.
$frameAncestors  : array<int, string>|string|null
Specifies the sources that can embed the current page.
$frameSrc  : array<int, string>|string|null
The frame-src directive restricts the URLs which may be loaded into nested browsing contexts.
$imageSrc  : array<int, string>|string
Defines the origins from which images can be loaded.
$manifestSrc  : array<int, string>|string|null
$mediaSrc  : array<int, string>|string|null
Restricts the origins allowed to deliver video and audio.
$objectSrc  : array<int, string>|string
Allows control over Flash and other plugins.
$pluginTypes  : array<int, string>|string|null
Limits the kinds of plugins a page may invoke.
$reportOnly  : bool
Default CSP report context
$reportURI  : string|null
Specifies a URL where a browser will send reports when a content security policy is violated.
$sandbox  : array<int, string>|string|null
List of actions allowed.
$scriptNonceTag  : string
Nonce tag for script
$scriptSrc  : array<int, string>|string
Lists allowed scripts' URLs.
$styleNonceTag  : string
Nonce tag for style
$styleSrc  : array<int, string>|string
Lists allowed stylesheets' URLs.
$upgradeInsecureRequests  : bool
Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URLs that need to be rewritten.

Properties

$baseURI

Restricts the URLs that can appear in a page's `<base>` element.

public array<int, string>|string|null $baseURI

Will default to self if not overridden

$childSrc

Lists the URLs for workers and embedded frame contents

public array<int, string>|string $childSrc = 'self'

$connectSrc

Limits the origins that you can connect to (via XHR, WebSockets, and EventSource).

public array<int, string>|string $connectSrc = 'self'

$defaultSrc

Will default to self if not overridden

public array<int, string>|string|null $defaultSrc

$fontSrc

Specifies the origins that can serve web fonts.

public array<int, string>|string $fontSrc

$formAction

Lists valid endpoints for submission from `<form>` tags.

public array<int, string>|string $formAction = 'self'

$frameAncestors

Specifies the sources that can embed the current page.

public array<int, string>|string|null $frameAncestors

This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. This directive can't be used in <meta> tags and applies only to non-HTML resources.

$frameSrc

The frame-src directive restricts the URLs which may be loaded into nested browsing contexts.

public array<int, string>|string|null $frameSrc

$imageSrc

Defines the origins from which images can be loaded.

public array<int, string>|string $imageSrc = 'self'

$mediaSrc

Restricts the origins allowed to deliver video and audio.

public array<int, string>|string|null $mediaSrc

$objectSrc

Allows control over Flash and other plugins.

public array<int, string>|string $objectSrc = 'self'

$pluginTypes

Limits the kinds of plugins a page may invoke.

public array<int, string>|string|null $pluginTypes

$reportURI

Specifies a URL where a browser will send reports when a content security policy is violated.

public string|null $reportURI = null

$scriptSrc

Lists allowed scripts' URLs.

public array<int, string>|string $scriptSrc = 'self'

$styleSrc

Lists allowed stylesheets' URLs.

public array<int, string>|string $styleSrc = 'self'

$upgradeInsecureRequests

Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URLs that need to be rewritten.

public bool $upgradeInsecureRequests = false 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results