-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: connect src
The connect-src directive restricts the URLs which can be loaded using script interfaces.
Affects: fetch(), XMLHttpRequest; WebSocket; EventSource; <a ping>; the navigator.sendBeacon() method.
Note
Older versions of Chrome and Safari had an issue where connect-src: 'self' did not cover WebSockets (ws: and wss:) when the page was served over https:. This was fixed in Chrome 71 (Sept 2018), Safari Technology Preview 144 (May 2022), and Safari 16 (Sept 2022).
If you need to support those older browsers, work around this by including wss: and the specific domain (replacing example.com with your own domain).
connect-src 'self' wss://example.com ws://example.com
Required reading:
Accepts one or more schemes or hosts, the 'self' keyword, or the 'none' keyword.
connect-src 'none'
connect-src 'self'
connect-src example.com
connect-src example.com example.org
connect-src https://*.example.com
connect-src https:
✅ connect-src will fallback to default-src if it is undefined.
-
CSP-0100 — [ERROR] directive
%shas an invalid value%s
ABNF (CSP3)
directive-name = "connect-src"
directive-value = serialized-source-listSee ABNF: serialized-source-list
- source-list in CSP2
- serialized-source-list in CSP3
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src