---

What browser navigation events are covered?

When the browser navigates away from one page url to a different page url, this is generally a navigation event. Some ways that this might occur:

• <a href="..."> - When the user clicks on an anchor tag, to go to a different url specified in the href attribute.
• <form action="..."> - When the user submits a form, they are taken to the form action page url.
• window.location = '...';> - When javascript window.location variable is set, a navigation event is triggered.
• window.open('...');> - When the javascript window.open function is called a navigation event is triggered.

An example navigate-to CSP policy

Suppose you only want to allow navigation on the same domain or same origin as your web application. The CSP self keyword allows you to do just that:

navigate-to: 'self';

Allowing navigation to external domains

Now suppose you wanted to also allow a link to an external domain, you can add each external domain that is allowed as well:

navigate-to: 'self' pdf.example.com;

You can also use wildcards like *.example.com, or even specify the full url. Take a look at the CSP Source List Reference for other options.

Can navigate-to be used in a meta tag?

Yes, you can use the navigate-to directive from a Content-Security-Policy meta tag. It can also be specified as part of a Content-Security-Policy header.

Is navigate-to covered by the default-src directive?

No, the navigate-to does not inherit from the default-src directive, you need to explicitly specify it in your Content-Security-Policy header for it to take effect.

How can I disable all navigation

If your web application is a single page app, that should not allow any navigation away from the page, you can enforce this in the CSP policy by using the 'none' source list keyword. For example:

navigate-to: 'none';

Browser Support for navigate-to

No browsers currently support navigate-to

---