The .ContentSecurityPolicy file is used to enforce the maximum level of
Content-Security-Policy rules a website may set on responses.
It is also used to document these settings. When you provide a package for others to install, they will be prompted to accept these Content-Security-Policy rules upon installing the package. (Warning: currently, package updates silently allow everything.)
You don’t need to set a file type on the .ContentSecurityPolicy file.
As for the .ContentSecurityPolicy file’s body, you can use the simple format
or the fully defined format.
Just list each domain you want to allow on a new line. For example:
www.youtube.com
www.google-analytics.com
This will enable all kinds of communication with the given providers.
Valid values are:
foo.com
http://foo.com
https://foo.com
WARNING: using the simple rule is simple, but it makes the HTTP headers bloated. Only use the simple format for prototyping, and go with the fully defined format in production.
Use any valid Content-Security-Policy rules.
For example, the simple format rule www.youtube.com is equivalent to the
fully defined rule:
default-src www.youtube.com
script-src www.youtube.com
style-src www.youtube.com
img-src www.youtube.com
connect-src www.youtube.com
font-src www.youtube.com
object-src www.youtube.com
media-src www.youtube.com
child-src www.youtube.com
form-action www.youtube.com
frame-ancestors www.youtube.com
You can also use the semicolon separated representation:
default-src www.youtube.com; script-src www.youtube.com; style-src www.youtube.com; img-src www.youtube.com; connect-src www.youtube.com; font-src www.youtube.com; object-src www.youtube.com; media-src www.youtube.com; child-src www.youtube.com; form-action www.youtube.com; frame-ancestors www.youtube.com
Valid directive values are the same as for the simple format, plus you can use
the sha256-* nonce form where applicable.
Note that for script-src, the values unsafe-inline and unsafe-eval
are not allowed for security reasons.
script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='
Note that simply installing a package won’t add any Content-Security-Policy headers to your HTTP responses, unless it is actually used on the visited page. For example, if you install a YouTube video player, the HTTP headers will only include rules to allow communication with YouTube if the very page the user is visiting actually contains a YouTube video player. Other pages will not.