### dom/security/nsCSPParser.cpp # tokens ":" ";" "/" "+" "-" "." "_" "~" "*" "'" "#" "?" "%" "!" "$" "&" "(" ")" "=" "@" ### https://www.w3.org/TR/{CSP,CSP2,CSP3}/ # directive names "default-src" "script-src" "object-src" "style-src" "img-src" "media-src" "frame-src" "font-src" "connect-src" "report-uri" "frame-ancestors" "reflected-xss" "base-uri" "form-action" "manifest-src" "upgrade-insecure-requests" "child-src" "block-all-mixed-content" "sandbox" "worker-src" "plugin-types" "disown-opener" "report-to" # directive values "'self'" "'unsafe-inline'" "'unsafe-eval'" "'none'" "'strict-dynamic'" "'unsafe-hashed-attributes'" "'nonce-AA=='" "'sha256-fw=='" "'sha384-/w=='" "'sha512-//8='" # subresources "a" "audio" "embed" "iframe" "img" "link" "object" "script" "source" "style" "track" "video" # sandboxing flags "allow-forms" "allow-pointer-lock" "allow-popups" "allow-same-origin" "allow-scripts" "allow-top-navigation" "allow-top-navigation-by-user-activation" # URI components "https:" "ws:" "blob:" "data:" "filesystem:" "javascript:" "http://" "selfuri.com" "127.0.0.1" "::1"