Indicates content from the given host path is allowed.
Indicates content from the given host path is allowed. See the
Content-Security-Policy
spec's matching rules for host-source
for more about what this can look
like.
Example:
Host("https://base.*.example.com")
Indicates content from the given scheme is allowed.
Indicates content from the given scheme is allowed. The scheme should not
include the trailing :
.
Example:
Scheme("data")
Indicates content from all sources is allowed.
Indicates content from no sources is allowed.
Indicates content from the same origin as the content is allowed.
Indicates eval
and related functionality can be used.
Indicates eval
and related functionality can be used. Some of Lift's
functionality, including idMemoize
and comet handling, relies on eval,
so not including this in your script sources will mean you won't be able to
use those.
If not specified for JavaScript, invoking eval
, the Function
constructor, or setTimeout
/setInterval
with a string parameter will
all throw security exceptions in a browser that supports content security
policies.
Indicates inline content on the page is allowed to be interpreted.
Indicates inline content on the page is allowed to be interpreted. It is highly recommended that this not be used, as it exposes your application to cross-site scripting and other vulnerabilities.
If not specified for JavaScript, JavaScript on*
event handler attributes,
<script>
elements, and javascript:
URIs will not be executed by a
browser that supports content security policies.
If not specified for stylesheets, <style>
elements and inline style
attributes will not be read by a browser that supports content security
policies.