.Trust

The .Trust file is used to populate the Content-Security-Policy HTTP header, which allows embedding 3rd party resources in your website (Google Analytics, YouTube videos, etc.) or embedding your resources in 3rd party sites.

Usage

You don’t need to set a file type on the .Trust file.

As for the .Trust file body, you can either fill it with the simple format or the fully defined format.

Note that if you increase the trust level of your entire website, you MUST commit your changes to take effect. This is to prevent malware from temporarily trusting a 3rd party provider without being noticed. To rephrase, if any app on your website trusts www.youtube.com, you will not need to commit after creating an extra .Trust file that also trusts www.youtube.com. If it is the first, you do need to commit.

Simple format

Just list each domain you want to trust on a new line. For example:

www.youtube.com
www.google-analytics.com

This will enable all kinds of communication with the given providers.

Valid values are:

foo.com
http://foo.com
https://foo.com

WARNING: using the simple rule is simple, but it makes your website a bit slower because the the HTTP headers will be bloated. You should only use the simple format for prototyping. Always go with the fully defined format if you can.

Fully defined format

Use any valid Content-Security-Policy rules.

For example, the simple format rule www.youtube.com is equivalent to the fully defined rule:

default-src www.youtube.com
script-src www.youtube.com
style-src www.youtube.com
img-src www.youtube.com
connect-src www.youtube.com
font-src www.youtube.com
object-src www.youtube.com
media-src www.youtube.com
child-src www.youtube.com
form-action www.youtube.com
frame-ancestors www.youtube.com

You can also use the semicolon separated representation:

default-src www.youtube.com; script-src www.youtube.com; style-src www.youtube.com; img-src www.youtube.com; connect-src www.youtube.com; font-src www.youtube.com; object-src www.youtube.com; media-src www.youtube.com; child-src www.youtube.com; form-action www.youtube.com; frame-ancestors www.youtube.com

Valid directive values are the same as for the simple format, plus you can use the sha256-* nonce form where applicable. In particular, you can’t use it for style-src, because it would break the unsafe-inline rule that is assumed by other applications.

Nonce example

script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='

IMPORTANT: Only use the directives that you absolutely need, as each additional value makes the website slower.

A bit of fresh air

You have been warned a couple of times on this page not to use any Content-Security-Policy rules that you don’t absolutely need. Please note that simply installing an app won’t make your site slower. For example, if you install a YouTube video player, the HTTP headers will only include rules to allow communication with YouTube if the very page the user is visiting actually contains a YouTube video player. Other pages will not. This is in high contrast with most content management systems where you have a single setting for your entire website.