X-Content-Security-Policy

The HTTP X-Content-Security-Policy response header is an unofficial HTTP header originally serving as the vendor-prefixed version of Content-Security-Policy, introduced in Firefox before the CSP standard was finalized.

Usage

Early implementations of Content Security Policy in Firefox (versions 4 through 22) and Internet Explorer 10 used the X-Content-Security-Policy header name. Firefox accepted a range of directives, but used its own syntax: allow (not default-src), xhr-src (not connect-src), alongside script-src, style-src, img-src, frame-ancestors, and others. Internet Explorer 10 and 11 only supported the sandbox directive through this header. All other directives were ignored.

Once the W3C finalized the CSP specification, browsers adopted the unprefixed Content-Security-Policy header. The prefixed version persists in the wild because certain web frameworks and CMS platforms still emit both headers by default. WordPress-based sites frequently send a policy like default-src 'self'; img-src *; media-src * data:; under this header name. Financial institutions and large e-commerce platforms also send frame-ancestors directives through the prefixed header as a defense-in-depth measure.

Directives

Modern servers sending X-Content-Security-Policy use standard Content-Security-Policy directive syntax. The historical Firefox implementation (versions 4 through 22) used a different vocabulary (allow instead of default-src, xhr-src instead of connect-src), but those names are no longer recognized by any browser. Common directives observed in production today include:

default-src

The default-src directive sets the fallback policy for all resource types not covered by a more specific directive. A value of 'self' restricts loading to the same origin.

script-src

The script-src directive controls which sources are allowed to serve JavaScript. Values like 'self', 'unsafe-inline', and 'unsafe-eval' define the level of restriction.

style-src

The style-src directive controls which sources are allowed to serve stylesheets. A value of 'self' 'unsafe-inline' permits same-origin stylesheets and inline style attributes.

img-src

The img-src directive controls which sources are allowed to serve images. A wildcard * permits images from any origin.

frame-ancestors

The frame-ancestors directive specifies which origins are allowed to embed the page in a frame or iframe. A value of 'none' blocks all framing. A value of 'self' permits same-origin framing only.

connect-src

The connect-src directive restricts the origins to which scripts are allowed to connect via XHR, WebSocket, and fetch requests.

Example

A WordPress-based site restricting most resources to the same origin while allowing images and media from any source. The default-src 'self' directive locks down resource loading, while img-src * and media-src * allow image and media delivery from external hosts.

X-Content-Security-Policy: default-src 'self'; img-src *; media-src * data:;

A financial institution blocking all framing of its pages. The frame-ancestors 'none' directive prevents the site from being embedded in any iframe, protecting against clickjacking attacks.

X-Content-Security-Policy: frame-ancestors 'none'

A site sending a full policy covering scripts, styles, images, fonts, and connections. Each directive restricts resource loading to the same origin, with inline styles and scripts explicitly permitted through 'unsafe-inline'.

X-Content-Security-Policy: default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'

Takeaway

The X-Content-Security-Policy header is the legacy vendor-prefixed form of Content-Security-Policy, originally used by Firefox and Internet Explorer before the CSP standard was finalized. New deployments belong on the standard Content-Security-Policy header.

See also

• Content-Security-Policy
• X-Frame-Options
• HTTP headers