Content Security Policy (CSP) directive specifies the allowed locations that the page can navigate to. Note that navigate-to
is not currently implemented in browsers, and although it was part of the CSP 3 spec, it has since been removed.
When the browser navigates away from one page url to a different page url, this is generally a navigation event. Some ways that this might occur:
- When the user clicks on an anchor tag, to go to a different url specified in the href attribute.
<form action="..."> - When the user submits a form, they are taken to the form action page url.
variable is set, a navigation event is triggered.
function is called a navigation event is triggered.Suppose you only want to allow navigation on the same domain or same origin as your web application. The CSP self keyword allows you to do just that:
Now suppose you wanted to also allow a link to an external domain, you can add each external domain that is allowed as well:
navigate-to: 'self' pdf.example.com;
You can also use wildcards like *.example.com
, or even specify the full url. Take a look at the CSP Source List Reference for other options.
Yes, you can use the navigate-to
directive from a Content-Security-Policy meta tag. It can also be specified as part of a Content-Security-Policy
No, the navigate-to
does not inherit from the default-src
directive, you need to explicitly specify it in your Content-Security-Policy
header for it to take effect.
If your web application is a single page app, that should not allow any navigation away from the page, you can enforce this in the CSP policy by using the 'none' source list keyword. For example:
No browsers currently support navigate-to
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.