|
|
| Line 380: |
Line 380: |
|
| |
|
| ==Activation and Enforcement== | | ==Activation and Enforcement== |
| CSP is activated by a client's browser when the <tt>X-Content-Security-Policy</tt> HTTP header is provided in a HTTP response. | | User Agents MUST activate CSP and enforce it for a document when the <tt>X-Content-Security-Policy</tt> HTTP header is provided in its HTTP response. User Agents MUST parse AND begin enforcing the policy before any of the protected content is parsed. |
| | |
| The Content Security Policy to be enforced can be delivered to the browser in one of two ways: directly as the value in the <tt>X-Content-Security-Policy</tt> HTTP header or a file served from the same host as the resource to be secured. The <tt>X-Content-Security-Policy</tt> header must either contain a policy definition <i>or</i> a <tt>policy-uri</tt> field; if both are present, the browser will raise a [[Security/CSP/Spec#Error_Handling|CSP console error]] and enforce the most restrictive ("allow none") policy.
| |
|
| |
| The syntax is identical between file-based and header-based policy. The contents of a policy file are equivalent to the value of the X-Content-Security-Policy header.
| |
|
| |
|
| ==Policy Refinements with Multiple Headers== | | ==Policy Refinements with Multiple Headers== |