navigate-toContent Security Policy (CSP) directive specifies the allowed locations that the page can navigate to.
navigate-to is not currently implemented in browsers, and although it was part of the CSP 3 spec, it has since been removed.
When the browser navigates away from one page url to a different page url, this is generally a navigation event. Some ways that this might occurr:
<a href="...">- When the user clicks on an anchor tag, to go to a different url specified in the href attribute.
<form action="..."> - When the user submits a form, they are taken to the form action page url.
window.locationvariable is set, a navigation event is triggered.
window.openfunction is called a navigation event is triggered.
Suppose you only want to allow navigation on the same domain or same origin as your web application. The CSP self keyword allows you to do just that:
Now suppose you wanted to also allow a link to an external domain, you can add each external domain that is allowed as well:
navigate-to: 'self' pdf.example.com;
You can also use wildcards like
*.example.com, or even specify the full url. Take a look at the CSP Source List Reference for other options.
Yes, you can use the
navigate-to directive from a Content-Security-Policy meta tag. It can also be specified as part of a
navigate-to does not inherit from the
default-src directive, you need to explicitly specify it in your
Content-Security-Policy header for it to take effect.
If your web application is a single page app, that should not allow any navigation away from the page, you can enforce this in the CSP policy by using the 'none' source list keyword. For example:
No browsers currently support
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.