Content-Security-Policy HTTP header syntax reference

When configuring the trusted sources security policy for your Sitefinity CMS website, you can granularly define the Content-Security-Policy HTTP response header for different types of content. The value of the Content-Security-Policy contains one or more directives that define the valid sources for each type of content. The value of each directive can also contain specific keywords which enable you to fine-tune the behavior of the directive by matching or excluding certain conditions – like building a powerful regular expression.  These keywords are known as a source list. The table below provides a reference of the supported source list values:

Source Value

Description

*

Wildcard, allows any URL except data: blob: filesystem: schemes.

'none'

Prevents loading resources from any source.

'self'

Allows loading resources from the same origin (same scheme, host and port).

data:

Allows loading resources via the data scheme (for example Base64 encoded images).

domain.example.com

Allows loading resources from the specified domain name.

*.example.com

Allows loading resources from any subdomain under example.com.

https://cdn.com

Allows loading resources only over HTTPS matching the given domain.

https:

Allows loading resources only over HTTPS on any domain.

'unsafe-inline'

Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIs

'unsafe-eval'

Allows unsafe dynamic code evaluation such as JavaScript eval()

'nonce-'

Allows script or style tag to execute if the nonce attribute value matches the header value. For example:<script nonce="2726c7f26c">alert("hello");</script>

'sha256-'

Allow a specific script or style to execute if it matches the hash. Doesn't work for javascript:URIs. For example: sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=will allowalert('Hello, world.');

NOTE: Multiple source list values can be space separated except for 'none' which should be the only value.

Content-Security-Policy Examples

Below you can find examples on how to configure your Sitefinity CMS Content-Security-Policy HTTP header for some common scenarios:

Allow everything but only from the same origin
Put 'self' in Trusted sources for… -> Any content.

Only Allow Scripts from the same origin
Put 'self' in Trusted sources for… ->  Scripts.

Allow Google Analytics, Google AJAX CDN and Same Origin
Put 'self' www.google-analytics.com ajax.googleapis.com
in Configure Trusted sources for… -> Any content.

Default Policy

Projects created with Sitefinity CMS version 11.0 and later come with a pre-configured trusted sources policy. The default values for the Content-Security-Policy HTTP response header include the sources required by Sitefinity CMS to operate normally. You can customize the policy to suit you need. Be aware that removing any of the default sources might result in abnormal behavior of Sitefinity CMS. 

Was this article helpful?