Content Security Policy

[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004,[4] first implemented in Firefox 4 and quickly picked up by other browsers.

If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative allowlist policy.

One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks.

[citation needed] In 2018 security researchers showed how to send false positive reports to the designated receiver specified in report-uri.

[30] The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, it has been argued to the working group by a representative of Cox Communications that this exemption is a potential security hole that could be exploited by malicious or compromised add-ons or extensions.