Variable recommended_policy`Const`

recommended_policy: {
    base-uri: string[];
    connect-src: string[];
    default-src: string[];
    font-src: string[];
    form-action: string[];
    frame-ancestors: string[];
    img-src: string[];
    manifest-src: string[];
    object-src: string[];
    prefetch-src: string[];
    script-src: string[];
    style-src: string[];
    upgrade-insecure-requests: boolean;
} = ...

Recommended policy for most sites.

Differences with the standard policy are the following ones:

font-src is set to 'self', to allow self-hosted fonts
frame-ancestors is set to 'none'
manifest-src is set to 'self', to allow a self-hosted web application manifest,so the website can be installed as Progressive Web App. Learn more: https://developer.mozilla.org/en-US/docs/Web/Manifest
object-src is set to 'none' as recommended here: https://csp.withgoogle.com/docs/strict-csp.html
prefetch-src is set to 'self, to allow prefetching content hosted on this origin
upgrade-insecure-requests is set to true, even if I am not sure it's really necessary, since it does NOT replace HSTS. Learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

Variable recommended_policyConst

Settings

Variable recommended_policy`Const`