Content Security Policy

Prevent XSS and injection with a strict CSP. Web apps only.

• Start strict: default-src 'none' then add only what is needed
• Nonce-based scripts: script-src 'nonce-{random}' 'strict-dynamic' SHOULD be used — more secure than domain allowlisting (bypassable via JSONP/CDN scripts)
• Policies MUST NOT include 'unsafe-inline' or 'unsafe-eval' for script-src
• frame-ancestors 'self' to prevent clickjacking (replaces X-Frame-Options)
• New policies SHOULD be deployed in report-only mode first (Content-Security-Policy-Report-Only) to find violations before enforcing

Trusted Types and DOM-XSS

A strict nonce-based CSP does NOT stop DOM-based XSS that flows through injection sinks like innerHTML, document.write, or eval-equivalents. Harden those sinks separately:

• The CSP SHOULD add require-trusted-types-for 'script' together with a named trusted-types policy so only policy-vetted typed values can be assigned to dangerous DOM sinks; raw strings are rejected.
• The trusted-types policy SHOULD be backed by a documented sanitizer — DOMPurify, or the Sanitizer API (Element.setHTML()) — rather than ad-hoc escaping.
• Trusted Types SHOULD be rolled out in report-only mode first to surface violating sinks before enforcing.
• Trusted Types is supported in Chromium and now Safari, degrades safely (no-op) where unsupported, and has an official polyfill, so it SHOULD be enabled as defense-in-depth even with mixed browser support.

References:

• MDN: CSP
• OWASP CSP Cheat Sheet
• Google CSP Evaluator

Change History