SSL Labs ScoreHSTS Preloaded

System - Content Security Policy: Addendum

It's time for some additional documentation covering some confusing configuration aspects now that the CSP plugin has been out for a while and a few users have had an opportunity to put it to the test.

An Extra Protocol Type

I'm calling these types Protocol Types, because the documentation doesn't give them a specific name. Two of them are used and described in the CSP specification and will look familiar: http: and https: specifically. There is, however, another type.

You will occasionally see a Blocked URI that is not a URI at all. It is simply labeled "data". This data type refers to content that is held within the attributes of an element such as an image which contains base64 encoded data instead of an image URL.

To handle/allow these data types, just enter them as if they were a protocol. "data:" (without the quotes)