The CSP directive reference covers every directive field available in Document360's Content Security Policy settings, along with best practices for configuring them, methods for testing your policy, and guidance for troubleshooting blocked resources. Use this reference after you have enabled CSP and are ready to configure or validate your policy.
CSP directive groups
CSP settings in Document360 are organised into four groups. All fields accept comma-separated domain URLs in the format https://example.com.
Code policy
This group governs the sources from which code and styling resources are loaded. The Default source directive acts as a fallback for any resource type that does not have a more specific rule defined.
| Directive | Field name | Description |
|---|---|---|
default-src |
Default source | Defines fallback allowed domains for all resource types not covered by a more specific directive. A common starting value is 'self', which restricts all unlisted resource types to your own domain. |
script-src |
Script source | Specifies which domains can serve JavaScript on your Knowledge Base. Only scripts from listed sources will be executed by the browser. |
style-src |
Style source | Specifies which domains can provide stylesheets and CSS. Prevents malicious styles from being injected. |
Resource control
This group controls which external domains are allowed to supply media and data resources such as images, fonts, API calls, and background worker scripts.
| Directive | Field name | Description |
|---|---|---|
img-src |
Image source | Specifies the domains allowed to load images on your Knowledge Base site. |
font-src |
Font source | Specifies the domains allowed to serve font files used by your Knowledge Base. |
connect-src |
Connect source | Specifies the domains that scripts can connect to when making API calls or network requests (e.g., fetch, XHR, WebSocket). |
worker-src |
Worker source | Specifies the domains allowed to load background worker scripts used by your Knowledge Base. |
Embedding & Security
This group controls how your Knowledge Base embeds external content and how it can itself be embedded on other websites. It is particularly important for preventing clickjacking attacks and managing third-party content such as videos, widgets, and portals.
| Directive | Field name | Description |
|---|---|---|
frame-src |
Frame source | Specifies the domains allowed to be embedded as frames or iframes within your Knowledge Base (e.g., YouTube, Vimeo). |
frame-ancestors |
Frame ancestors | Specifies which domains are allowed to embed your Knowledge Base pages in their own frames. Use this to prevent unauthorised framing. |
form-action |
Form action | Specifies the domains to which form submissions from your Knowledge Base are allowed to be sent. |
object-src |
Object source | Specifies the domains allowed to load plugin content such as <object> or <embed> elements. Set to 'none' if not required. |
Reporting
The Reporting group instructs browsers to send violation reports to a designated endpoint whenever a resource is blocked by your policy. This is essential for identifying misconfigurations and potential attack attempts without disrupting your site.
| Directive | Field name | Description |
|---|---|---|
report-endpoint |
Report endpoint | Specifies the URL where browsers should send reports when resources are blocked by your CSP. Enter one or more comma-separated report endpoint URLs. |
report-to |
Report to | Specifies the reporting group name used by the browser to send CSP violation reports. This must match a reporting group defined in your site's reporting configuration. |
Ensure endpoint URLs entered in the Reporting fields are valid and publicly reachable before saving. The report endpoint must accept POST requests and respond with a 2xx status code.
Best practices
-
Start with a restrictive default — Set Default source to
'self'first. This creates a secure baseline where only resources from your own domain are allowed unless explicitly permitted elsewhere. Add specific domains in targeted fields rather than broadening Default source. -
Use specific directives instead of broad allowlists — Rather than adding many domains to Default source, use the targeted fields: Script source, Frame source, Connect source, and so on. This keeps the policy easier to maintain and reduces accidental overexposure.
-
Use reporting before enforcing — Configure Report endpoint first so you can monitor blocked resources before the policy affects your readers. Review violation reports for several days or weeks before tightening the policy.
-
Use nonce for custom inline scripts — Always use the
{{Document360-Nonce}}placeholder in custom HTML script sections. This allows trusted inline scripts to run securely without using'unsafe-inline', which would undermine your entire script policy.
How to test your Content Security Policy
After configuring and saving your CSP settings, verify that the policy is working as expected using one of the following methods.
Method 1: Via page source
- Open your Knowledge Base site in a browser.
- Right-click anywhere on the page and select View page source.
- Press Ctrl+F (Windows) or Cmd+F (Mac) and search for
Content-Security-Policy. - If found, the full CSP configuration appears next to this term, confirming it is active.
Method 2: Via browser developer tools
- Open your browser's developer tools (F12 or right-click > Inspect).
- Navigate to the Network tab.
- Visit your Knowledge Base and select any page request.
- Review the page HTML for the CSP meta tag.
Method 3: Via online tools
You can also use external tools such as securityheaders.com to analyse your site's security configuration. Since Document360 uses a meta element rather than a response header, some tools may report CSP as absent at the header level — this is expected.
Common issues
Video shows as 'This content is blocked' in one article but not another
The domain serving the video is not in your Frame source allowlist, or the domain differs between embed types (for example, https://www.youtube.com for standard embeds vs https://www.youtube-nocookie.com for privacy-enhanced embeds). Add both to Frame source.
Custom font displays incorrectly or falls back to system font
Font providers typically use two different domains — one for the CSS stylesheet and one for the actual font files. Both must be listed. For Google Fonts, add https://fonts.googleapis.com to Style source and https://fonts.gstatic.com to Font source.
Chat widget loads but doesn't function
Chat widgets often load scripts, make API calls, and load images from multiple domains. Check the browser console for all blocked requests — there may be several. Add all required domains to the appropriate directive fields (Script source, Connect source, Image source).
Form submission is blocked
If a form on your Knowledge Base submits to an external service, add that service's domain to the Form action field.
Violation reports are not arriving at the Report endpoint
Verify that:
- The endpoint URL is publicly reachable (not behind a VPN or firewall).
- The endpoint accepts POST requests and returns a 2xx response.
- The endpoint supports the
Content-Type: application/csp-reportrequest format. - If using the Report to directive, the named reporting group is correctly configured in your infrastructure.
CSP validation tool reports CSP as missing
Document360 implements CSP via a meta element in the page source, not via an HTTP response header. Tools that only check response headers will report CSP as missing. To confirm CSP is enabled, view the page source and search for Content-Security-Policy.
Browser differences
Most modern browsers (Chrome, Firefox, Edge, Safari) support the CSP meta element. Known differences:
frame-ancestorsis ignored when delivered via a meta element in some older browser versions. If frame embedding protection is critical, also enable X-Frame Protection.- Safari may handle some CSP directives differently from Chrome and Firefox. Test your configuration in Safari if your users are on Apple devices.
- Very old browsers (Internet Explorer 11 and below) do not support CSP. If you have IE11 users, CSP will be silently ignored.
Private Knowledge Base projects cannot be embedded in iframes. Authentication cookies are not set correctly inside iframes, which causes repeated login attempts and redirect errors. If you need to embed the Knowledge Base in another application, use a Knowledge base widget instead.
FAQ
What is the difference between frame-src and frame-ancestors?
These two directives control opposite directions of embedding. frame-src controls which external domains your Knowledge Base is allowed to embed (for example, a YouTube video in an article). frame-ancestors controls which external domains are allowed to embed your Knowledge Base inside their own pages.
How do I use the Reporting directives?
Enter the URL of your reporting endpoint in the Report endpoint field. When a browser blocks a resource, it sends a JSON report to this URL. Report to works alongside Report endpoint and specifies a named reporting group pre-configured in your site's reporting infrastructure — useful for enterprise setups with centralised security monitoring.
What should I add to the Default source field?
Start with 'self', which restricts all unlisted resource types to your own domain. Then add specific domains in the more targeted fields (Script source, Image source, etc.) rather than broadening Default source. A restrictive Default source with granular exceptions is more secure and easier to audit.
What is a CSP violation report and what does it look like?
When a browser blocks a resource, it sends a JSON payload to your Report endpoint. A typical report looks like this:
{
"csp-report": {
"document-uri": "https://docs.yourcompany.com/article",
"violated-directive": "script-src 'self'",
"blocked-uri": "https://cdn.example.com/widget.js",
"original-policy": "default-src 'self'; script-src 'self'"
}
}
The blocked-uri field tells you the exact domain to add to your allowlist. The violated-directive field tells you which directive field to update in Document360 settings.