Content Security Policy (CSP)
Quick Reference Guide

The CSP navigate-to Directive

The navigate-to Content Security Policy (CSP) directive specifies the allowed locations that the page can navigate to.

Unimplemented Feature

Note that navigate-to is not currently implemented in browsers, and although it was part of the CSP 3 spec, it has since been removed.

What browser navigation events are covered?

When the browser navigates away from one page url to a different page url, this is generally a navigation event. Some ways that this might occur:

An example navigate-to CSP policy

Suppose you only want to allow navigation on the same domain or same origin as your web application. The CSP self keyword allows you to do just that:

navigate-to: 'self';

Allowing navigation to external domains

Now suppose you wanted to also allow a link to an external domain, you can add each external domain that is allowed as well:

navigate-to: 'self';

You can also use wildcards like *, or even specify the full url. Take a look at the CSP Source List Reference for other options.

Can navigate-to be used in a meta tag?

Yes, you can use the navigate-to directive from a Content-Security-Policy meta tag. It can also be specified as part of a Content-Security-Policy header.

Is navigate-to covered by the default-src directive?

No, the navigate-to does not inherit from the default-src directive, you need to explicitly specify it in your Content-Security-Policy header for it to take effect.

How can I disable all navigation

If your web application is a single page app, that should not allow any navigation away from the page, you can enforce this in the CSP policy by using the 'none' source list keyword. For example:

navigate-to: 'none';

Browser Support for navigate-to

No browsers currently support navigate-to

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.