|string|null */ public $defaultSrc = [ 'self', 'www.google.com', ]; /** * Lists allowed scripts' URLs. * * @var list|string */ public $scriptSrc = [ 'self', 'unsafe-inline', 'unsafe-eval', 'www.google.com www.gstatic.com' ]; /** * Lists allowed stylesheets' URLs. * * @var list|string */ public $styleSrc = [ 'self', 'unsafe-inline', 'nonce-{csp-style-nonce}', 'https://fonts.googleapis.com', ]; /** * Defines the origins from which images can be loaded. * * @var list|string */ public $imageSrc = [ 'self', 'data:', 'blob:', ]; /** * Restricts the URLs that can appear in a page's `` element. * * Will default to self if not overridden * * @var list|string|null */ public $baseURI; /** * Lists the URLs for workers and embedded frame contents * * @var list|string */ public $childSrc = 'self'; /** * Limits the origins that you can connect to (via XHR, * WebSockets, and EventSource). * * @var list|string */ public $connectSrc = [ 'self', 'nominatim.openstreetmap.org', ]; /** * Specifies the origins that can serve web fonts. * * @var list|string */ public $fontSrc = [ 'self', 'fonts.googleapis.com', 'fonts.gstatic.com', ]; /** * Lists valid endpoints for submission from `

` tags. * * @var list|string */ public $formAction = 'self'; /** * Specifies the sources that can embed the current page. * This directive applies to ``, `