csp-policy

The csp-policy Element

since 10.3.0

Syntax:

<csp-policy>csp_header_content</csp-policy>

[Default: `script-src 'self' 'unsafe-inline' 'unsafe-eval'`]

<system-config>
    <csp-enabled>true</csp-enabled>
    <csp-policy>
        script-src 'self' 'strict-dynamic' https://www.google-analytics.com
    </csp-policy>
</system-config>

Or

<system-config>
    <csp-enabled>true</csp-enabled>
    <csp-policy>
    script-src 'self' 'unsafe-inline' 'unsafe-eval';
    style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:;
    font-src 'self';
    connect-src 'self';
    frame-ancestors 'none'
    </csp-policy>
</system-config>

Both csp-enabled and csp-policy are required to apply a custom Content-Security-Policy response header.

If you want to use the strict-dynamic directive, you must also enable <csp-strict-dynamic-enabled>. This will ensure that nonce headers are generated and applied correctly during page rendering.

See full documentation entry.