Content Security Policy

A Content Security Policy (CSP) regulates loading external resources. It allows developers to set restrictions on loading JavaScript, CSS, and other resources.

It is a good practice to set a same-origin policy which allows only resources originating from the current domain to be loaded ("Only load your own content"), and then to whitelist any additional resources which should be allowed. Whitelisting can be done by resource type or origination location.

CSP directives are sent to the browser in the response header. The response header can be configured in the application or as a default in the web server configuration.

Example: CSP directives which whitelist current page, Google APIs, and Facebook Like button.

Content-Security-Policy:
  default-src: 'self'; 
  script-src: 'self' https://apis.google.com; 
  child-src: https://facebook.com

Content Security Policy website

Fork me on GitHub