X-WebKit-CSP
The HTTP X-WebKit-CSP response header is an unofficial HTTP header originally serving as WebKit's vendor-prefixed version of Content-Security-Policy, introduced in early Safari and Chrome before the CSP standard was finalized.
Note
The X- prefix for non-standard headers is
deprecated per RFC 6648.
Legacy
This header predates the standardized Content-Security-Policy header. Modern browsers implement the unprefixed Content-Security-Policy header instead. Some servers still send X-WebKit-CSP alongside the standard header and X-Content-Security-Policy as a backward-compatibility measure.
Usage
Older WebKit-based browsers (early Safari and Chrome releases) used the X-WebKit-CSP header for Content Security Policy enforcement. At the same time, Firefox used X-Content-Security-Policy as its own vendor-prefixed variant. Both prefixed headers accepted the same directive syntax as the standard Content-Security-Policy header.
Once the W3C finalized the CSP specification, browsers
adopted the unprefixed Content-Security-Policy header.
The prefixed X-WebKit-CSP version persists in
production because some web frameworks and security
middleware still emit all three CSP header variants by
default. Enterprise security policies and CMS platforms
continue sending the prefixed headers as a
defense-in-depth measure for older clients.
The header implemented CSP Level 1 directives:
default-src, script-src, style-src, img-src,
connect-src, object-src, media-src, font-src,
and sandbox. CSP Level 2 directives such as
frame-ancestors, base-uri, and form-action were
not part of the X-WebKit-CSP implementation.
Directives
The X-WebKit-CSP header accepts the same directive syntax as Content-Security-Policy. Common directives observed in production include:
default-src
The default-src directive sets the fallback policy for
all resource types not covered by a more specific
directive. A value of 'self' restricts loading to the
same origin.
script-src
The script-src directive controls which sources are
allowed to serve JavaScript. Values like 'self',
'unsafe-inline', and 'unsafe-eval' define the level
of restriction.
style-src
The style-src directive controls which sources are
allowed to serve stylesheets.
img-src
The img-src directive controls which sources are
allowed to serve images. A wildcard * permits images
from any origin.
object-src
The object-src directive restricts sources for
<object>, <embed>, and <applet> elements.
connect-src
The connect-src directive restricts the origins to
which scripts are allowed to connect via XHR,
WebSocket,
and fetch requests.
Example
A simple policy restricting all resources to the same
origin. The default-src 'self' directive blocks
loading from any external source.
X-WebKit-CSP: default-src 'self'
A stricter policy restricting object embedding and connections to the same origin, with images blocked from external sources.
X-WebKit-CSP: object-src 'self'; connect-src 'self'; img-src 'self'
A site sending all three CSP header variants for maximum
backward compatibility. Modern browsers read the
standard Content-Security-Policy header. Older
WebKit-based browsers fall back to X-WebKit-CSP, and
legacy Firefox versions fall back to
X-Content-Security-Policy.
Content-Security-Policy: default-src 'self'; img-src *
X-WebKit-CSP: default-src 'self'; img-src *
X-Content-Security-Policy: default-src 'self'; img-src *
Takeaway
The X-WebKit-CSP header is WebKit's legacy
vendor-prefixed form of
Content-Security-Policy,
originally used by Safari and Chrome before the CSP
standard was finalized. New deployments belong on the
standard Content-Security-Policy header.