initial commit

5 files changed, 739 insertions, 0 deletions

diff --git a/files/ko/web/http/headers/content-security-policy/default-src/index.html b/files/ko/web/http/headers/content-security-policy/default-src/index.html
new file mode 100644
index 0000000000..d3c21caf18
--- /dev/null
+++ b/files/ko/web/http/headers/content-security-policy/default-src/index.html
@@ -0,0 +1,149 @@
+---
+title: 'CSP: default-src'
+slug: Web/HTTP/Headers/Content-Security-Policy/default-src
+translation_of: Web/HTTP/Headers/Content-Security-Policy/default-src
+---
+<div>
+<p>{{HTTPSidebar}}</p>
+
+<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>default</strong></code><strong><code>-src</code></strong> 구문은 다른  CSP 구문이 정의되지 않았을때 이를 대체하는 용도로 사용됩니다.  as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. 다음과 같은 구문이 없는 경우,  <code>default-src</code> 구문을 찾아서 사용합니다:</p>
+
+<ul>
+ <li>{{CSP("child-src")}}</li>
+ <li>{{CSP("connect-src")}}</li>
+ <li>{{CSP("font-src")}}</li>
+ <li>{{CSP("frame-src")}}</li>
+ <li>{{CSP("img-src")}}</li>
+ <li>{{CSP("manifest-src")}}</li>
+ <li>{{CSP("media-src")}}</li>
+ <li>{{CSP("object-src")}}</li>
+ <li>{{CSP("script-src")}}</li>
+ <li>{{CSP("style-src")}}</li>
+ <li>{{CSP("worker-src")}}</li>
+</ul>
+
+<table>
+ <tbody>
+  <tr>
+   <th scope="row">CSP version</th>
+   <td>1</td>
+  </tr>
+  <tr>
+   <th scope="row">Directive type</th>
+   <td>{{Glossary("Fetch directive")}}</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Syntax">Syntax</h2>
+
+<p>하나 이상의 출처가 <code>default-src</code> 정책에 의해서 허용될 수 있습니다:</p>
+
+<pre>Content-Security-Policy: default-src &lt;source&gt;;
+Content-Security-Policy: default-src &lt;source&gt; &lt;source&gt;;
+</pre>
+
+<h3 id="Sources">Sources</h3>
+
+<p>&lt;source&gt; 에는 다음에 항목이 포함됩니다. </p>
+
+<dl>
+ <dt>&lt;host-source&gt;</dt>
+ <dd>부수적으로 <a href="/en-US/docs/URIs_and_URLs">URL scheme</a> 및/또는 port 번호가 포함된 도메인 또는 IP 주소와 같은 인터넷 호스트, 또한 사이트의 주소 및 포트에 와일트 카드를 사용할 수 도 있습니다 (<code>'*'</code>), 이를 사용하면 모든 주소 또는 포트에서의 유효함을 나타냅니다.<br>
+ 예:
+ <ul>
+  <li><code>http://*.example.com</code>:  <code>http:</code> 를 사용하는 모든 서브도메인에서 매칭됩</li>
+  <li><code>mail.example.com:443</code>: 443 포트로 mail.example.com에 접근하는 경우 매칭됨</li>
+  <li><code>https://store.example.com</code>: store.example.com를 <code>https:</code>로 접근하는 경우 매칭됨</li>
+ </ul>
+ </dd>
+ <dt>&lt;scheme-source&gt;</dt>
+ <dd> 'http:' 또는 'https:'와 같은 스키마.<strong> 콜론이 필수적이며, 작은 따음표는 사용하지 않아야 합니다.</strong>  스키마도 지정할 수 있습니다 (추천하지 않음).
+ <ul>
+  <li><code>data:</code><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs"><code>data:</code> URIs</a> 를 컨텐츠 출처로 허용합니다. 이것은 안전하지 않습니다. <em>공격자가 임의의 데이터를 주입할 수도 있기 때문에 script에는 사용하지 마십시오.</em></li>
+  <li><code>mediastream:</code><a href="/en-US/docs/Web/API/MediaStream_API"><code>mediastream:</code> URIs</a> 을 콘텐츠 출처로 허용합니다.</li>
+  <li><code>blob:</code><a href="/en-US/docs/Web/API/Blob"><code>blob:</code> URIs</a>을 콘텐츠 출처로 허용합니다.</li>
+  <li><code>filesystem:</code><a href="/en-US/docs/Web/API/FileSystem"><code>filesystem:</code> URIs</a> 을 콘텐츠 출처로 허용합니다.</li>
+ </ul>
+ </dd>
+ <dt><code>'self'</code></dt>
+ <dd>동일한 URL 체계와 포트를 포함하여 보호되는 파일의 원본을 참조합니다.  작은 따음표가 필수적으로 있어야 합니다. 일부 브라우저에서는 <code>blob</code> 와 <code>filesystem</code> 를 source 지시문에서 제외합니다. 이러한 콘텐츠 타입을 허용해야 하는 사이트는 데이터 attribute를 사용하여 지정할 수 있습니다.</dd>
+ <dt><code>'unsafe-inline'</code></dt>
+ <dd>인라인 {{HTMLElement("script")}} 태그, <code>javascript:</code> URLs, 인라인 이벤트 핸들러, 그리고 인라인 {{HTMLElement("style")}} 태그와 같은 인라인 요소들을 모두 허용합니다. 작은 따음표를 사용해야만 합니다.</dd>
+ <dt><code>'unsafe-eval'</code></dt>
+ <dd><code>eval()</code> 및 문자열에서 코드를 생성하는 함수의 사용을 허용합니다. 작은 따음표를 사용해야만 합니다.</dd>
+ <dt><code>'none'</code></dt>
+ <dd>아무것도 참조 되지 않습니다. 즉 아무런 URL도 매치되지 않습니다. 작은 따음표를 사용해야만 합니다.</dd>
+ <dt>'nonce-&lt;base64-value&gt;'</dt>
+ <dd>암호화 nonce 값을 이용하여 특정 인라인 스크립트에 대하여 허용합니다(nonce는 한번만 사용). 서버는 CSP정책을 전송할 때마다 고유한 nonce를 생성해야만 합니다. 리소스 정책을 우회하는 것은 간단한 일이기 때문에 의심 할 여지가 없는 nonce 값을 제공하는 것이 중요합니다. <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script">unsafe inline script</a> 예제를 참고해주세요. nonce는 <code>'unsafe-inline'</code> 와 함께 사용할 경우 모던 브라우저에서는 사용하게 되면  <code>'unsafe-inline'</code>가 무시되지만, 구형 브라우저에서는 nonce가 적용되지 않습니다.</dd>
+ <dt>'&lt;hash-algorithm&gt;-&lt;base64-value&gt;'</dt>
+ <dd>스크립트 또는 스타일의  sha256, sha384 or sha512 해쉬. 이것은 대쉬: 로 구분된 해쉬를 사용된 암호화 알고리즘과 base64로 인코딩한 스크립트 및 스타일로 구성됩니다. 해쉬를 생성할 때 절대로 &lt;script&gt; 또는 &lt;style&gt; 태그를 포함하지말고 대소문자와 앞 뒤의 공백을 주의해야 합니다.<a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script">unsafe inline script</a> 예제를 참고해주세요. CSP 2.0에서는 인라인 스크립트에서만 적용 가능하지만,  CSP 3.0에서는 외부 스크립트를 <code>script-src</code> 에서 허용하기 위해서 사용합니다.</dd>
+ <dt>'strict-dynamic'</dt>
+ <dd>The <code>strict-dynamic</code> source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as <code>'self'</code> or <code>'unsafe-inline'</code> will be ignored. See <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic">script-src</a> for an example.</dd>
+</dl>
+
+<h2 id="Examples">Examples</h2>
+
+<h3 id="default-src의_상속_불가"><code>default-src</code>의 상속 불가</h3>
+
+<p>다른 구문이 지정되면 default-src는 더 이상 영향을 주지 않습니다. 아래의 헤더는 </p>
+
+<pre>Content-Security-Policy: default-src 'self'; script-src https://example.com</pre>
+
+<p>다음과 같습니다:</p>
+
+<pre>Content-Security-Policy: connect-src 'self';
+                         font-src 'self';
+                         frame-src 'self';
+                         img-src 'self';
+                         manifest-src 'self';
+                         media-src 'self';
+                         object-src 'self';
+                         script-src https://example.com;
+                         style-src 'self';
+                         worker-src 'self'</pre>
+
+<h2 id="Specifications">Specifications</h2>
+
+<table>
+ <tbody>
+  <tr>
+   <th scope="col">Specification</th>
+   <th scope="col">Status</th>
+   <th scope="col">Comment</th>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 3.0", "#directive-default-src", "default-src")}}</td>
+   <td>{{Spec2('CSP 3.0')}}</td>
+   <td>Added <code>frame-src</code>, <code>manifest-src</code> and <code>worker-src</code> as defaults.</td>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 1.1", "#directive-default-src", "default-src")}}</td>
+   <td>{{Spec2('CSP 1.1')}}</td>
+   <td>Initial definition.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Browser_compatibility">Browser compatibility</h2>
+
+<p>The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
+
+<p>{{Compat("http.headers.csp.default-src")}}</p>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li>{{HTTPHeader("Content-Security-Policy")}}</li>
+ <li>{{CSP("connect-src")}}</li>
+ <li>{{CSP("font-src")}}</li>
+ <li>{{CSP("frame-src")}}</li>
+ <li>{{CSP("img-src")}}</li>
+ <li>{{CSP("manifest-src")}}</li>
+ <li>{{CSP("media-src")}}</li>
+ <li>{{CSP("object-src")}}</li>
+ <li>{{CSP("script-src")}}</li>
+ <li>{{CSP("style-src")}}</li>
+ <li>{{CSP("worker-src")}}</li>
+</ul>
+</div>
diff --git a/files/ko/web/http/headers/content-security-policy/img-src/index.html b/files/ko/web/http/headers/content-security-policy/img-src/index.html
new file mode 100644
index 0000000000..bd959a91db
--- /dev/null
+++ b/files/ko/web/http/headers/content-security-policy/img-src/index.html
@@ -0,0 +1,84 @@
+---
+title: 'CSP: img-src'
+slug: Web/HTTP/Headers/Content-Security-Policy/img-src
+translation_of: Web/HTTP/Headers/Content-Security-Policy/img-src
+---
+<div>{{HTTPSidebar}}</div>
+
+<p>The HTTP {{HTTPHeader("Content-Security-Policy")}}<code>:</code> <code><strong>img</strong></code><strong><code>-src</code></strong> 지시어는 이미지 및 파비콘에 대하여 유효한 출처를 지정합니다.</p>
+
+<table class="properties">
+ <tbody>
+  <tr>
+   <th scope="row">CSP version</th>
+   <td>1</td>
+  </tr>
+  <tr>
+   <th scope="row">Directive type</th>
+   <td>{{Glossary("Fetch directive")}}</td>
+  </tr>
+  <tr>
+   <th scope="row">{{CSP("default-src")}} fallback</th>
+   <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Syntax">Syntax</h2>
+
+<p><code>img-src</code> 정책에 대해 하나 이상의 출처를 허용 할 수 있습니다.</p>
+
+<pre class="syntaxbox">Content-Security-Policy: img-src &lt;source&gt;;
+Content-Security-Policy: img-src &lt;source&gt; &lt;source&gt;;
+</pre>
+
+<h3 id="Sources">Sources</h3>
+
+<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>
+
+<h2 id="Examples">Examples</h2>
+
+<h3 id="Violation_cases">Violation cases</h3>
+
+<p>CSP 헤더가 주어질 때:</p>
+
+<pre class="brush: bash">Content-Security-Policy: img-src https://example.com/</pre>
+
+<p>아래의 {{HTMLElement("img")}} 태그가 차단되어 불러오지 않습니다:</p>
+
+<pre class="brush: html">&lt;img src="https://not-example.com/foo.jpg" alt="example picture"&gt;</pre>
+
+<h2 id="Specifications">Specifications</h2>
+
+<table class="standard-table">
+ <tbody>
+  <tr>
+   <th scope="col">Specification</th>
+   <th scope="col">Status</th>
+   <th scope="col">Comment</th>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 3.0", "#directive-img-src", "img-src")}}</td>
+   <td>{{Spec2('CSP 3.0')}}</td>
+   <td>No changes.</td>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 1.1", "#directive-img-src", "img-src")}}</td>
+   <td>{{Spec2('CSP 1.1')}}</td>
+   <td>Initial definition.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Browser_compatibility">Browser compatibility</h2>
+
+<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
+
+<p>{{Compat("http.headers.csp.img-src")}}</p>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li>{{HTTPHeader("Content-Security-Policy")}}</li>
+ <li>{{HTMLElement("img")}}</li>
+</ul>
diff --git a/files/ko/web/http/headers/content-security-policy/index.html b/files/ko/web/http/headers/content-security-policy/index.html
new file mode 100644
index 0000000000..22c869ef5c
--- /dev/null
+++ b/files/ko/web/http/headers/content-security-policy/index.html
@@ -0,0 +1,259 @@
+---
+title: Content-Security-Policy
+slug: Web/HTTP/Headers/Content-Security-Policy
+tags:
+  - CSP
+  - HTTP
+  - Reference
+  - Security
+  - header
+translation_of: Web/HTTP/Headers/Content-Security-Policy
+---
+<div>{{HTTPSidebar}}</div>
+
+<p>The HTTP <strong><code>Content-Security-Policy</code></strong> response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks ({{Glossary("XSS")}}).</p>
+
+<p>For more information, see the introductory article on <a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a>.</p>
+
+<table class="properties">
+ <tbody>
+  <tr>
+   <th scope="row">Header type</th>
+   <td>{{Glossary("Response header")}}</td>
+  </tr>
+  <tr>
+   <th scope="row">{{Glossary("Forbidden header name")}}</th>
+   <td>no</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Syntax">Syntax</h2>
+
+<pre class="syntaxbox">Content-Security-Policy: &lt;policy-directive&gt;; &lt;policy-directive&gt;
+</pre>
+
+<h2 id="Directives">Directives</h2>
+
+<h3 id="Fetch_directives" name="Fetch_directives">{{Glossary("Fetch directive", "Fetch directives")}}</h3>
+
+<p>Fetch directives control locations from which certain resource types may be loaded.</p>
+
+<h4 id="List_of_Content_Security_Policy_Fetch_directives">List of Content Security Policy Fetch directives</h4>
+
+<dl>
+ <dt>{{CSP("child-src")}}</dt>
+ <dd>Defines the valid sources for <a href="/en-US/docs/Web/API/Web_Workers_API">web workers</a> and nested browsing contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.
+ <div class="warning">
+ <p>Instead of <strong><code>child-src</code></strong>, authors who wish to regulate nested browsing contexts and workers should use the {{CSP("frame-src")}} and {{CSP("worker-src")}} directives, respectively.</p>
+ </div>
+ </dd>
+ <dt>{{CSP("connect-src")}}</dt>
+ <dd>Restricts the URLs which can be loaded using script interfaces</dd>
+ <dt>{{CSP("default-src")}}</dt>
+ <dd>Serves as a fallback for the other {{Glossary("Fetch directive", "fetch directives")}}.</dd>
+ <dt>{{CSP("font-src")}}</dt>
+ <dd>Specifies valid sources for fonts loaded using {{cssxref("@font-face")}}.</dd>
+ <dt>{{CSP("frame-src")}}</dt>
+ <dd>Specifies valid sources for nested browsing contexts loading using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.</dd>
+ <dt>{{CSP("img-src")}}</dt>
+ <dd>Specifies valid sources of images and favicons.</dd>
+ <dt>{{CSP("manifest-src")}}</dt>
+ <dd>Specifies valid sources of application manifest files.</dd>
+ <dt>{{CSP("media-src")}}</dt>
+ <dd>Specifies valid sources for loading media using the {{HTMLElement("audio")}} , {{HTMLElement("video")}} and {{HTMLElement("track")}} elements.</dd>
+ <dt>{{CSP("object-src")}}</dt>
+ <dd>Specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.</dd>
+ <dd class="note">Elements controlled by <code>object-src</code> are perhaps coincidentally considered legacy HTML elements and are not recieving new standardized features (such as the security attributes <code>sandbox</code> or <code>allow</code> for <code>&lt;iframe&gt;</code>). Therefore it is <strong>recommended</strong> to restrict this fetch-directive (e.g. explicitly set <code>object-src 'none'</code> if possible).</dd>
+ <dt>{{CSP("prefetch-src")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources to be prefetched or prerendered.</dd>
+ <dt>{{CSP("script-src")}}</dt>
+ <dd>Specifies valid sources for JavaScript.</dd>
+ <dt>{{CSP("script-src-elem")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources for JavaScript {{HTMLElement("script")}} elements.</dd>
+ <dt>{{CSP("script-src-attr")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources for JavaScript inline event handlers.</dd>
+</dl>
+
+<dl>
+ <dt>{{CSP("style-src")}}</dt>
+ <dd>Specifies valid sources for stylesheets.</dd>
+ <dt>{{CSP("style-src-elem")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources for stylesheets {{HTMLElement("style")}} elements and {{HTMLElement("link")}} elements with <code>rel="stylesheet"</code>.</dd>
+ <dt>{{CSP("style-src-attr")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources for inline styles applied to individual DOM elements.</dd>
+ <dt>{{CSP("worker-src")}}{{experimental_inline}}</dt>
+ <dd>Specifies valid sources for {{domxref("Worker")}}, {{domxref("SharedWorker")}}, or {{domxref("ServiceWorker")}} scripts.</dd>
+</dl>
+
+<h3 id="Document_directives" name="Document_directives">{{Glossary("Document directive", "Document directives")}}</h3>
+
+<p>Document directives govern the properties of a document or <a href="/en-US/docs/Web/API/Web_Workers_API">worker</a> environment to which a policy applies.</p>
+
+<h4 id="List_of_Content_Security_Policy_Document_directives">List of Content Security Policy Document directives</h4>
+
+<dl>
+ <dt>{{CSP("base-uri")}}</dt>
+ <dd>Restricts the URLs which can be used in a document's {{HTMLElement("base")}} element.</dd>
+ <dt>{{CSP("plugin-types")}}</dt>
+ <dd>Restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.</dd>
+ <dt>{{CSP("sandbox")}}</dt>
+ <dd>Enables a sandbox for the requested resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}} attribute.</dd>
+</dl>
+
+<h3 id="Navigation_directives" name="Navigation_directives">{{Glossary("Navigation directive", "Navigation directives")}}</h3>
+
+<p>Navigation directives govern to which location a user can navigate to or submit a form to, for example.</p>
+
+<h4 id="List_of_Content_Security_Policy_Navigation_directives">List of Content Security Policy Navigation directives</h4>
+
+<dl>
+ <dt>{{CSP("form-action")}}</dt>
+ <dd>Restricts the URLs which can be used as the target of a form submissions from a given context.</dd>
+ <dt>{{CSP("frame-ancestors")}}</dt>
+ <dd>Specifies valid parents that may embed a page using {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("object")}}, {{HTMLElement("embed")}}, or {{HTMLElement("applet")}}.</dd>
+ <dt>{{CSP("navigate-to")}}{{experimental_inline}}</dt>
+ <dd>Restricts the URLs to which a document can initiate navigation by any means, including {{HTMLElement("form")}} (if {{CSP("form-action")}} is not specified), {{HTMLElement("a")}}, {{DOMxRef("window.location")}}, {{DOMxRef("window.open")}}, etc.</dd>
+</dl>
+
+<h3 id="Reporting_directives" name="Reporting_directives">{{Glossary("Reporting directive", "Reporting directives")}}</h3>
+
+<p>Reporting directives control the reporting process of CSP violations. See also the {{HTTPHeader("Content-Security-Policy-Report-Only")}} header.</p>
+
+<h4 id="List_of_Content_Security_Policy_Reporting_directives">List of Content Security Policy Reporting directives</h4>
+
+<dl>
+ <dt>{{CSP("report-uri")}}{{deprecated_inline}}</dt>
+ <dd>Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP <code>POST</code> request to the specified URI.
+ <div class="warning">
+ <p>Though the {{CSP("report-to")}} directive is intended to replace the deprecated <code><strong>report-uri</strong></code> directive, {{CSP("report-to")}} is not supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get {{CSP("report-to")}} support, you can specify both <code><strong>report-uri</strong></code> and {{CSP("report-to")}}:</p>
+
+ <pre class="syntaxbox">Content-Security-Policy: ...; report-uri https://endpoint.example.com; report-to groupname</pre>
+
+ <p>In browsers that support {{CSP("report-to")}}, the <code><strong>report-uri</strong></code> directive will be ignored.</p>
+ </div>
+ </dd>
+ <dt>{{CSP("report-to")}}{{experimental_inline}}</dt>
+ <dd>Fires a <code>SecurityPolicyViolationEvent</code>.</dd>
+</dl>
+
+<h3 id="Other_directives">Other directives</h3>
+
+<dl>
+ <dt>{{CSP("block-all-mixed-content")}}</dt>
+ <dd>Prevents loading any assets using HTTP when the page is loaded using HTTPS.</dd>
+ <dt>{{CSP("referrer")}}{{deprecated_inline}}{{non-standard_inline}}</dt>
+ <dd>Used to specify information in the referer (sic) header for links away from a page. Use the {{HTTPHeader("Referrer-Policy")}} header instead.</dd>
+ <dt>{{CSP("require-sri-for")}}{{experimental_inline}}</dt>
+ <dd>Requires the use of {{Glossary("SRI")}} for scripts or styles on the page.</dd>
+ <dt>{{CSP("require-trusted-types-for")}}{{experimental_inline}}</dt>
+ <dd>Enforces <a href="https://w3c.github.io/webappsec-trusted-types/dist/spec/">Trusted Types</a> at the DOM XSS injection sinks.</dd>
+</dl>
+
+<dl>
+ <dt>{{CSP("trusted-types")}}{{experimental_inline}}</dt>
+ <dd>Used to specify a whitelist of <a href="https://w3c.github.io/webappsec-trusted-types/dist/spec/">Trusted Types</a> policies (Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings).</dd>
+</dl>
+
+<dl>
+ <dt>{{CSP("upgrade-insecure-requests")}}</dt>
+ <dd>Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.</dd>
+</dl>
+
+<h2 id="CSP_in_workers">CSP in workers</h2>
+
+<p><a href="/en-US/docs/Web/API/Worker">Workers</a> are in general <em>not</em> governed by the content security policy of the document (or parent worker) that created them. To specify a content security policy for the worker, set a <code>Content-Security-Policy</code> response header for the request which requested the worker script itself.</p>
+
+<p>The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker that created it.</p>
+
+<h2 id="Multiple_content_security_policies">Multiple content security policies</h2>
+
+<p>CSP allows multiple policies being specified for a resource, including via the <code>Content-Security-Policy</code> header, the {{HTTPHeader("Content-Security-Policy-Report-Only")}} header and a {{HTMLElement("meta")}} element.</p>
+
+<p>You can use the <code>Content-Security-Policy</code> header more than once like in the example below. Pay special attention to the {{CSP("connect-src")}} directive here. Even though the second policy would allow the connection, the first policy contains <code>connect-src 'none'</code>. Adding additional policies <em>can only further restrict</em> the capabilities of the protected resource, which means that there will be no connection allowed and, as the strictest policy, <code>connect-src 'none'</code> is enforced.</p>
+
+<pre>Content-Security-Policy: default-src 'self' http://example.com;
+                         connect-src 'none';
+Content-Security-Policy: connect-src http://example.com/;
+                         script-src http://example.com/</pre>
+
+<h2 id="Examples">Examples</h2>
+
+<p>Example: Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https:</p>
+
+<pre>// header
+Content-Security-Policy: default-src https:
+
+// meta tag
+&lt;meta http-equiv="Content-Security-Policy" content="default-src https:"&gt;
+</pre>
+
+<p>Example: Pre-existing site that uses too much inline code to fix but wants to ensure resources are loaded only over https and disable plugins:</p>
+
+<pre>Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'</pre>
+
+<p>Example: Do not implement the above policy yet; instead just report violations that would have occurred:</p>
+
+<pre>Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre>
+
+<p>See <a href="https://infosec.mozilla.org/guidelines/web_security#Examples_5">Mozilla Web Security Guidelines</a> for more examples.</p>
+
+<h2 id="Specifications">Specifications</h2>
+
+<table class="standard-table">
+ <thead>
+  <tr>
+   <th scope="col">Specification</th>
+   <th scope="col">Status</th>
+   <th scope="col">Comment</th>
+  </tr>
+ </thead>
+ <tbody>
+  <tr>
+   <td>{{specName("CSP 3.0")}}</td>
+   <td>{{Spec2("CSP 3.0")}}</td>
+   <td>Adds <code>manifest-src</code>, <code>navigate-to</code>, <code>report-to</code>, <code>strict-dynamic</code>, <code>worker-src</code>. Undeprecates <code>frame-src</code>. Deprecates <code>report-uri</code> in favor if <code>report-to</code>.</td>
+  </tr>
+  <tr>
+   <td>{{specName("Mixed Content")}}</td>
+   <td>{{Spec2("Mixed Content")}}</td>
+   <td>Adds <code>block-all-mixed-content</code>.</td>
+  </tr>
+  <tr>
+   <td>{{specName("Subresource Integrity")}}</td>
+   <td>{{Spec2("Subresource Integrity")}}</td>
+   <td>Adds <code>require-sri-for</code>.</td>
+  </tr>
+  <tr>
+   <td>{{specName("Upgrade Insecure Requests")}}</td>
+   <td>{{Spec2("Upgrade Insecure Requests")}}</td>
+   <td>Adds <code>upgrade-insecure-requests</code>.</td>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 1.1")}}</td>
+   <td>{{Spec2("CSP 1.1")}}</td>
+   <td>Adds <code>base-uri</code>, <code>child-src</code>, <code>form-action</code>, <code>frame-ancestors</code>, <code>plugin-types</code>, <code>referrer</code>, and <code>report-uri</code>. Deprecates <code>frame-src</code>.</td>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 1.0")}}</td>
+   <td>{{Spec2("CSP 1.0")}}</td>
+   <td>Defines <code>connect-src</code>, <code>default-src</code>, <code>font-src</code>, <code>frame-src</code>, <code>img-src</code>, <code>media-src</code>, <code>object-src</code>, report-uri, <code>sandbox</code>, <code>script-src,</code> and <code>style-src</code>.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Browser_compatibility">Browser compatibility</h2>
+
+<p class="hidden">The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
+
+<p>{{Compat("http.headers.csp.Content-Security-Policy")}}</p>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li>{{HTTPHeader("Content-Security-Policy-Report-Only")}}</li>
+ <li><a href="/en-US/docs/Web/HTTP/CSP">Learn about: Content Security Policy</a></li>
+ <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy">Content Security in WebExtensions</a></li>
+ <li><a href="https://csp.withgoogle.com/docs/strict-csp.html">Adopting a strict policy</a></li>
+ <li><a href="https://csp-evaluator.withgoogle.com/">CSP Evaluator</a> - Evaluate your Content Security Policy</li>
+</ul>
diff --git a/files/ko/web/http/headers/content-security-policy/report-to/index.html b/files/ko/web/http/headers/content-security-policy/report-to/index.html
new file mode 100644
index 0000000000..2fe0b56b97
--- /dev/null
+++ b/files/ko/web/http/headers/content-security-policy/report-to/index.html
@@ -0,0 +1,80 @@
+---
+title: report-to
+slug: Web/HTTP/Headers/Content-Security-Policy/report-to
+translation_of: Web/HTTP/Headers/Content-Security-Policy/report-to
+---
+<p> </p>
+
+<p><dfn><code>Report-To</code></dfn> HTTP 응답 해더 필드는 사용자 에이전트(브라우저)가 레포트를 저장하기 위한 origin의 엔드포인트를 지정합니다.</p>
+
+<pre>Content-Security-Policy: ...; report-to groupname
+</pre>
+
+<p> </p>
+
+<p>이 지시어 자체로는 효과는 없지만 다른 지시문과 조합하여 의미를 가질 수 있습니다.</p>
+
+<table>
+ <tbody>
+  <tr>
+   <th scope="row">CSP version</th>
+   <td>1</td>
+  </tr>
+  <tr>
+   <th scope="row">Directive type</th>
+   <td>{{Glossary("Reporting directive")}}</td>
+  </tr>
+  <tr>
+   <th colspan="2" scope="row">This directive is not supported in the {{HTMLElement("meta")}} element.</th>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Syntax">Syntax</h2>
+
+<pre>Content-Security-Policy: report-to &lt;json-field-value&gt;;</pre>
+
+<h2 id="Examples">Examples</h2>
+
+<p>더 자세한 정보와 예제는 {{HTTPHeader("Content-Security-Policy-Report-Only")}} 를 확인하세요.</p>
+
+<pre><a href="http://wicg.github.io/reporting/#report-to" id="ref-for-report-to①">Report-To</a>: { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group①">group</a>": "csp-endpoint",
+             "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age①">max-age</a>": 10886400,
+             "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints②">endpoints</a>": [
+               { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url②">url</a>": "https://example.com/csp-reports" }
+             ] },
+           { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group②">group</a>": "hpkp-endpoint",
+             "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age②">max-age</a>": 10886400,
+             "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints③">endpoints</a>": [
+               { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url③">url</a>": "https://example.com/hpkp-reports" }
+             ] }
+<a href="https://w3c.github.io/webappsec-csp/#content-security-policy" id="ref-for-content-security-policy①">Content-Security-Policy</a>: ...; <a href="https://w3c.github.io/webappsec-csp/#directives-reporting" id="ref-for-directives-reporting①">report-to</a> csp-endpoint
+</pre>
+
+<p> </p>
+
+<pre><a href="http://wicg.github.io/reporting/#report-to" id="ref-for-report-to">Report-To</a>: { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group">group</a>": "endpoint-1",
+             "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age">max-age</a>": 10886400,
+             "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints①">endpoints</a>": [
+               { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url">url</a>": "https://example.com/reports" },
+               { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url①">url</a>": "https://backup.com/reports" }
+             ] }
+
+<a href="https://w3c.github.io/webappsec-csp/#content-security-policy" id="ref-for-content-security-policy">Content-Security-Policy</a>: ...; <a href="https://w3c.github.io/webappsec-csp/#directives-reporting" id="ref-for-directives-reporting">report-to</a> endpoint-1</pre>
+
+<p> </p>
+
+<p>브라우저 호환성</p>
+
+<p>이 페이지의 호환성 테이블은 구조화된 데이터에서 생성됩니다. 데이터에 기여하고 싶다면 <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> 를 확인하고 pull request를 보내주세요.</p>
+
+<p>{{Compat("http.headers.csp.report-to")}}</p>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li>{{HTTPHeader("Content-Security-Policy")}}</li>
+ <li>{{HTTPHeader("Content-Security-Policy-Report-Only")}}</li>
+</ul>
+
+<p> </p>
diff --git a/files/ko/web/http/headers/content-security-policy/script-src/index.html b/files/ko/web/http/headers/content-security-policy/script-src/index.html
new file mode 100644
index 0000000000..98999637aa
--- /dev/null
+++ b/files/ko/web/http/headers/content-security-policy/script-src/index.html
@@ -0,0 +1,167 @@
+---
+title: 'CSP: script-src'
+slug: Web/HTTP/Headers/Content-Security-Policy/script-src
+translation_of: Web/HTTP/Headers/Content-Security-Policy/script-src
+---
+<div>{{HTTPSidebar}}</div>
+
+<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>script-src</strong></code> 는 자바스크립트트에 대한 검증된 출처를 지정합니다. 여기에는 {{HTMLElement("script")}} 요소에서 직접 호출한 URL뿐만 아니라,  인라인 스크립트  이벤트 핸들러(<code>onclick</code>) 및 스크립트를 실행할 수 있는  <a href="/en-US/docs/Web/XSLT">XSLT stylesheets</a> 가 포함됩니다.</p>
+
+<table class="properties">
+ <tbody>
+  <tr>
+   <th scope="row">CSP version</th>
+   <td>1</td>
+  </tr>
+  <tr>
+   <th scope="row">Directive type</th>
+   <td>{{Glossary("Fetch directive")}}</td>
+  </tr>
+  <tr>
+   <th scope="row">{{CSP("default-src")}} fallback</th>
+   <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Syntax">Syntax</h2>
+
+<p>하나 이상의 출처가 <code>script-src</code> 정책에 의해서 허용될 수 있습니다:</p>
+
+<pre class="syntaxbox">Content-Security-Policy: script-src &lt;source&gt;;
+Content-Security-Policy: script-src &lt;source&gt; &lt;source&gt;;
+</pre>
+
+<h3 id="Sources">Sources</h3>
+
+<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>
+
+<dl>
+ <dt>'report-sample'</dt>
+ <dd> Report에 위반 코드 샘플을 포함시키려면 이 항목을 추가 해야 합니다.</dd>
+</dl>
+
+<h2 id="예제">예제</h2>
+
+<h3 id="Violation_case">Violation case</h3>
+
+<p>주어진 CSP 헤더:</p>
+
+<pre class="brush: bash">Content-Security-Policy: script-src https://example.com/</pre>
+
+<p>아래 스크립트가 차단되어서 로드 또는 실행되지 않습니다:</p>
+
+<pre class="brush: html">&lt;script src="https://not-example.com/js/library.js"&gt;&lt;/script&gt;</pre>
+
+<p>인라인 스크립트도 실행되지 않습니다:</p>
+
+<pre class="brush: html">&lt;button id="btn" onclick="doSomething()"&gt;</pre>
+
+<p>{{domxref("EventTarget.addEventListener", "addEventListener")}}를 호출하는 것으로 대체해야 합니다.:</p>
+
+<pre class="brush: js">document.getElementById("btn").addEventListener('click', doSomething);</pre>
+
+<h3 id="안전하지_않은_인라인_스크립트">안전하지 않은 인라인 스크립트</h3>
+
+<div class="note">
+<p><strong>Note:</strong> 인라인 스타일 및 인라인 스크립트를 허용하지 않는 것이 CSP가 제공하는 가장 큰 보안 이점 중 하나 입니다. 그러나, 인라인 스크립트 및 스타일을 사용해야만 한다면 몇가지 방법을 제공합니다.</p>
+</div>
+
+<p>인라인 스크립트 및 인라인 이벤트 핸들러를 허용하려면, <code>'unsafe-inline'</code>,  인라인 태그에 정의한 값과 동일한 nonce-source 또는 hash-source를 지정할 수 있습니다.</p>
+
+<pre class="brush: bash">Content-Security-Policy: script-src 'unsafe-inline';
+</pre>
+
+<p>위의 CSP는 {{HTMLElement("script")}} 태그를 허용합니다</p>
+
+<pre class="brush: html">&lt;script&gt;
+  var inline = 1;
+&lt;/script&gt;</pre>
+
+<p>nonce-source를 사용하면 특정 인라인 스크립트 태그만 허용 할 수 있습니다:</p>
+
+<pre class="brush: bash">Content-Security-Policy: script-src 'nonce-2726c7f26c'</pre>
+
+<p>{{HTMLElement("script")}} 태그에 동일한 nonce를 설정해야 합니다 :</p>
+
+<pre class="brush: html">&lt;script nonce="2726c7f26c"&gt;
+  var inline = 1;
+&lt;/script&gt;</pre>
+
+<p>또는, 인라인 스크립트에서 해시를 설정할 수 도 있습니다. CSP는 sha256, sha384 and sha512를 지원합니다.</p>
+
+<pre class="brush: bash">Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='</pre>
+
+<p>해시를 생성할 때에는 {{HTMLElement("script")}} 태그를 포함하지 말고, 대소문자, 태그의 앞뒤 공백이 포함되어야 하는 것을 유의해주십시요.</p>
+
+<pre class="brush: html">&lt;script&gt;var inline = 1;&lt;/script&gt;</pre>
+
+<h3 id="안전하지_않은_eval_표현식">안전하지 않은 eval 표현식</h3>
+
+<p><code>'unsafe-eval'</code> 출처 표현식은 문자열에서 코드를 생성하는 여러 스크립트 실행 메소드를 제어합니다.  만약<code>'unsafe-eval'</code> 이  <code>script-src</code> 에 정의되어 있지 않으면, 아래믜 명령어는 차단되며 아무런 효과가 일어나지 않습니다.</p>
+
+<ul>
+ <li><code><a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval">eval()</a></code></li>
+ <li><code><a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function">Function()</a></code></li>
+ <li>아래와 같이 문자열 리터럴을 전달할 때 :<br>
+  <code>window.setTimeout("alert(\"Hello World!\");", 500);</code>
+  <ul>
+   <li>{{domxref("window.setTimeout")}}</li>
+   <li>{{domxref("window.setInterval")}}</li>
+   <li>{{domxref("window.setImmediate")}}</li>
+  </ul>
+ </li>
+ <li>{{domxref("window.execScript")}} {{non-standard_inline}} (IE &lt; 11 only)</li>
+</ul>
+
+<h3 id="strict-dynamic"><code>strict-dynamic</code></h3>
+
+<p>The <code>'strict-dynamic</code>' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as <code>'self'</code> or <code>'unsafe-inline'</code> will be ignored. For example, a policy such as <code>script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/</code> would allow loading of a root script with <code>&lt;script nonce="R4nd0m" src="https://example.com/loader.js"&gt;</code>  and propogate that trust to any script loaded by <code>loader.js</code>, but disallow loading scripts from <code>https://whitelisted.com/</code> unless accompanied by a nonce or loaded from a trusted script.</p>
+
+<pre class="brush: bash">script-src 'strict-dynamic' 'nonce-<em>someNonce</em>'</pre>
+
+<p><em>Or</em></p>
+
+<pre class="brush: bash">script-src 'strict-dynamic' 'sha256-<em>base64EncodedHash</em>'</pre>
+
+<p>It is possible to deploy <code>strict-dynamic</code> in a backwards compatible way, without requiring user-agent sniffing.<br>
+ The policy:</p>
+
+<pre class="brush: bash">script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'</pre>
+
+<p>will act like<code>'unsafe-inline' https:</code> in browsers that support CSP1, <code>https: 'nonce-abcdefg'</code> in browsers that support CSP2, and <code>'nonce-abcdefg' 'strict-dynamic'</code> in browsers that support CSP3.</p>
+
+<h2 id="Specifications">Specifications</h2>
+
+<table class="standard-table">
+ <tbody>
+  <tr>
+   <th scope="col">Specification</th>
+   <th scope="col">Status</th>
+   <th scope="col">Comment</th>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 3.0", "#directive-script-src", "script-src")}}</td>
+   <td>{{Spec2('CSP 3.0')}}</td>
+   <td>No changes.</td>
+  </tr>
+  <tr>
+   <td>{{specName("CSP 1.1", "#directive-script-src", "script-src")}}</td>
+   <td>{{Spec2('CSP 1.1')}}</td>
+   <td>Initial definition.</td>
+  </tr>
+ </tbody>
+</table>
+
+<h2 id="Browser_compatibility">Browser compatibility</h2>
+
+<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
+
+<p>{{Compat("http.headers.csp.script-src")}}</p>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li>{{HTTPHeader("Content-Security-Policy")}}</li>
+ <li>{{HTMLElement("script")}}</li>
+</ul>