Douglas Gonçalves vixdouglas

	<?
	//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
	$headerCSP = "Content-Security-Policy:".
	"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
	"default-src 'self';". // Default policy for loading html elements
	"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
	"frame-src 'none';". // vaid sources for frames
	"media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src)
	"object-src 'none'; ". // valid object embed and applet tags src
	"report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked