What is Content Security Policy?
default-src 'self'; img-src *; script-src https://userscripts.example.com
Why would I use Content Security Policy?
A correctly configured policy affords you and your users additional security against certain attacks. Commonly, it can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks, and others. More generally, it allows you to control where content displayed by clients visiting your site can be loaded from.
How can I write one?
Example use cases and policy can be found at https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy
http://w3c.github.io/webappsec-csp/ and https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives provide more complete descriptions of directives and use, as well as implementation considerations and client support information.
https://developer.chrome.com/extensions/contentSecurityPolicy and https://developer.chrome.com/apps/contentSecurityPolicy provide documentation specific to Chrome, but is targeted more towards extension/application development.
https://msdn.microsoft.com/en-us/library/dn904195%28v=vs.85%29.aspx provides limited documentation for Edge.
Can I/how do I use Content Security Policy with Cloudflare?
Yes, you can use a Content Security Policy with sites behind Cloudflare. We do not modify the Content-Security-Policy header sent by your origin.
No changes need to be made to acceptable sources for your own/other third-party content. Using Cloudflare does not affect or modify the URLs that you use to include content, and therefore will not interfere with clients’ ability to match locations specified in your policy against locations used to include resources.
If you use certain Cloudflare features, you will need to allow inline scripts in your policy. We include scripts on your domain and add some inline code when you enable Rocket Loader, Cloudflare Apps, or ScrapeShield.
If you do use any of these features, you will need to add the following to your Content Security Policy:
script-src 'self' 'unsafe-inline'
An example CSP header for use with RocketLoader
script-src 'unsafe-eval' 'self' ajax.cloudflare.com;
An example CSP for use with Mirage
script-src 'self' ajax.cloudflare.com;