.Trust file is used to populate the
Content-Security-Policy HTTP header,
which allows embedding 3rd party resources in your website (Google Analytics,
YouTube videos, etc.) or embedding your resources in 3rd party sites.
You don’t need to set a file type on the
As for the
.Trust file body, you can either fill it with the simple format
or the fully defined format.
Note that if you increase the trust level of your entire website, you MUST
commit your changes to take effect. This is to prevent malware from
temporarily trusting a 3rd party provider without being noticed. To rephrase,
if any app on your website trusts
www.youtube.com, you will not need to commit
after creating an extra
.Trust file that also trusts
it is the first, you do need to commit.
Just list each domain you want to trust on a new line. For example:
This will enable all kinds of communication with the given providers.
Valid values are:
foo.com http://foo.com https://foo.com
WARNING: using the simple rule is simple, but it makes your website a bit slower because the the HTTP headers will be bloated. You should only use the simple format for prototyping. Always go with the fully defined format if you can.
Use any valid Content-Security-Policy rules.
For example, the simple format rule
www.youtube.com is equivalent to the
fully defined rule:
default-src www.youtube.com script-src www.youtube.com style-src www.youtube.com img-src www.youtube.com connect-src www.youtube.com font-src www.youtube.com object-src www.youtube.com media-src www.youtube.com child-src www.youtube.com form-action www.youtube.com frame-ancestors www.youtube.com
You can also use the semicolon separated representation:
default-src www.youtube.com; script-src www.youtube.com; style-src www.youtube.com; img-src www.youtube.com; connect-src www.youtube.com; font-src www.youtube.com; object-src www.youtube.com; media-src www.youtube.com; child-src www.youtube.com; form-action www.youtube.com; frame-ancestors www.youtube.com
Valid directive values are the same as for the simple format, plus you can use
sha256-* nonce form where applicable. In particular, you can’t use it for
style-src, because it would break the
unsafe-inline rule that is assumed
by other applications.
IMPORTANT: Only use the directives that you absolutely need, as each additional value makes the website slower.
You have been warned a couple of times on this page not to use any
Content-Security-Policy rules that you don’t absolutely need. Please note that
simply installing an app won’t make your site slower. For example, if you
install a YouTube video player, the HTTP headers will only include rules to
allow communication with YouTube if the very page the user is visiting actually
contains a YouTube video player. Other pages will not. This is in high contrast
with most content management systems where you have a single setting for your