-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: child src
Caution
Obsolete: This feature is no longer recommended. While the specification doesn't use the word deprecated, you are strongly advised to use worker-src for Web Worker management, and frame-src for nested browsing contexts (e.g., frame and iframe).
Support for both modern directives has been available for many years, so we've changed this from a
The child-src directive governs the creation of nested browsing contexts (e.g., frame and iframe) as well as Worker execution contexts.
Affects: <frame> and <iframe> elements; Web Workers (in some browsers).
Required reading:
Accepts one or more schemes or hosts, the 'self' keyword, or the 'none' keyword.
child-src 'none'
child-src 'self'
child-src example.com
child-src example.com example.org
child-src https://*.example.com
child-src https:
✅ child-src will fallback to default-src if it is undefined.
-
CSP-0100 — [ERROR] directive
%shas an invalid value%s -
CSP-0802 — [ERROR] directive
child-srcis deprecated; useframe-srcand/orworker-srcinstead
ABNF (CSP3)
directive-name = "child-src"
directive-value = serialized-source-listSee ABNF: serialized-source-list
- source-list in CSP2
- serialized-source-list in CSP3
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src