CSP
E542503
CSP is a web security standard that helps prevent attacks like cross-site scripting (XSS) by controlling which resources a browser is allowed to load for a given page.
All labels observed (1)
| Label | Occurrences |
|---|---|
| CSP canonical | 1 |
Statements (71)
| Predicate | Object |
|---|---|
| instanceOf |
browser security mechanism
ⓘ
web security standard ⓘ |
| abbreviation | CSP ⓘ |
| commonHeaderName |
Content-Security-Policy
NERFINISHED
ⓘ
Content-Security-Policy-Report-Only ⓘ |
| configuredBy | web application developers ⓘ |
| controls |
WebSocket connection endpoints
ⓘ
connection endpoints for XHR and fetch ⓘ execution of inline scripts ⓘ from which origins resources may be loaded ⓘ loading of external scripts ⓘ loading of fonts ⓘ loading of frames and iframes ⓘ loading of images ⓘ loading of media resources ⓘ loading of stylesheets ⓘ use of base URIs ⓘ use of eval-like JavaScript constructs ⓘ use of form actions ⓘ use of inline event handlers ⓘ use of plugins and object resources ⓘ use of workers ⓘ which resources a browser is allowed to load ⓘ |
| definedBy | World Wide Web Consortium NERFINISHED ⓘ |
| deliveredAs |
HTML meta element
ⓘ
HTTP response header ⓘ |
| encourages |
avoidance of inline JavaScript
ⓘ
use of nonces or hashes for scripts ⓘ |
| enforcedBy | web browsers ⓘ |
| hasVersion |
Content Security Policy Level 1
NERFINISHED
ⓘ
Content Security Policy Level 2 NERFINISHED ⓘ Content Security Policy Level 3 NERFINISHED ⓘ |
| introducedIn | Content Security Policy Level 1 NERFINISHED ⓘ |
| mitigates |
clickjacking when combined with frame-ancestors directive
ⓘ
cross-site scripting (XSS) ⓘ data injection vulnerabilities ⓘ |
| partOf | web platform security model ⓘ |
| primaryGoal |
mitigate cross-site scripting attacks
ⓘ
mitigate data injection attacks ⓘ reduce content exfiltration risk ⓘ |
| relatedTo |
HTTP security headers
ⓘ
Referrer-Policy ⓘ Strict-Transport-Security ⓘ X-Frame-Options ⓘ |
| requires | whitelisting of trusted content sources ⓘ |
| specifiedIn | W3C Recommendation NERFINISHED ⓘ |
| supportedBy |
major desktop browsers
ⓘ
major mobile browsers ⓘ |
| supports |
script hashes
ⓘ
script nonces ⓘ style hashes ⓘ style nonces ⓘ |
| supportsMode |
enforce mode
ⓘ
report-only mode ⓘ |
| usedIn | modern web applications ⓘ |
| usesDirective |
base-uri
ⓘ
block-all-mixed-content ⓘ child-src ⓘ connect-src ⓘ default-src ⓘ font-src ⓘ form-action ⓘ frame-ancestors ⓘ frame-src ⓘ img-src ⓘ object-src ⓘ report-to ⓘ report-uri ⓘ script-src ⓘ style-src ⓘ upgrade-insecure-requests ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.