Manual:$wgCSPHeader/pl

If an array, can have parameters:


 * 'default-src' If true or array (of additional urls) will set a default-src directive, which limits what places things can load from. If false or not set, will send a default-src directive allowing all sources.
 * 'includeCORS' If true or not set, will include urls from $wgCrossSiteAJAXdomains as an allowed load sources.
 * 'unsafeFallback' Add unsafe-inline as a script source, as a fallback for browsers that do not understand nonce-sources [default on].
 * 'useNonces' Require nonces on all inline scripts. If disabled and 'unsafeFallback' is on, then all inline scripts will be allowed [default true].
 * 'script-src' Array of additional places that are allowed to have JS be loaded from.
 * 'report-uri' true to use MW api [default], false to disable, string for alternate uri

Warning: May cause slowness on windows due to slow random number generator.


 * https://phabricator.wikimedia.org/T135963
 * Requests_for_comment/Content-Security-Policy
 * https://phabricator.wikimedia.org/T135963
 * Requests_for_comment/Content-Security-Policy

Zobacz też

 * https://www.w3.org/TR/CSP2/
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP