We recently updated our
Terms and Conditions for TechRepublic Premium.
By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
Welcome to TechRepublic!
All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
With this policy defined, the browser simply throws an error instead of loading script from any other source. When a clever attacker manages to inject code into your site, they’ll run headlong into an error message rather than the success they were expecting.
Policy applies to a wide variety of resources
While script resources are the most obvious security risks, CSP provides a rich set of policy directives that enable fairly granular control over the resources that a page is allowed to load. You’ve already seen script-src, so the concept should be clear.
Let’s quickly walk through the rest of the resource directives. The list below represents the state of the directives as of level 2. A level 3 spec has been published, but is largely unimplemented in the major browsers.
base-uri restricts the URLs that can appear in a page’s element.
child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins.
connect-src limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
font-src specifies the origins that can serve web fonts. Google’s web fonts could be enabled via font-src https://themes.googleusercontent.com.
form-action lists valid endpoints for submission from