The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. For workers, non-compliant requests are treated as fatal network errors by the user agent.
| CSP version | 2 |
|---|---|
| Directive type | {{Glossary("Fetch directive")}} |
| {{CSP("default-src")}} fallback | Yes. If this directive is absent, the user agent will look for the default-src directive. |
One or more sources can be allowed for the child-src policy:
Content-Security-Policy: child-src <source>; Content-Security-Policy: child-src <source> <source>;
{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
Given this CSP header:
Content-Security-Policy: child-src https://example.com/
This {{HTMLElement("iframe")}} and worker are blocked and won't load:
<iframe src="https://not-example.com"></iframe>
<script>
var blockedWorker = new Worker("data:application/javascript,...");
</script>
| Specification | Status | Comment |
|---|---|---|
| {{specName("CSP 3.0", "#directive-child-src", "child-src")}} | {{Spec2('CSP 3.0')}} | No changes. |
| {{specName("CSP 1.1", "#directive-child-srci", "child-src")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
{{Compat("http.headers.csp.Content-Security-Policy.child-src")}}