KA Hearth

A small blog where Matthias posts thoughts on things happening around Khan Academy. About Me

View the Project on GitHub

What is the CSP

One of the most useful pieces of information you can have when trying to stretch the limits of Khan Academy’s live-editor is knowledge of the Content Security Policy (CSP). The CSP defines what domains you can load certain types of data from on Khan Academy. For information about what CSP is, see this post about making POST requests.

The content security policy is returned as one of the headers (content-security-policy) from https://www.kasandbox.org/computer-programming/exec/pjs. Last I checked, the CSP for both the webpage and PJS environments is what’s listed below:

Data Type CSP name Valid values
Default default-src ‘none’
Fonts font-src data:
‘self’
fonts.gstatic.com
themes.googleusercontent.com
*.bootstrapcdn.com
Images img-src *.kastatic.org
www.khanacademy.org
*.kasandbox.org
chart.googleapis.com
upload.wikimedia.org
ka-perseus-images.s3.amazonaws.com
‘self’
Videos & Audio media-src *.kastatic.org
www.khanacademy.org
*.kasandbox.org
CSS style-src *.kastatic.org
www.khanacademy.org
‘self’
cdn.rawgit.com
rawgit.com
*.bootstrapcdn.com
fonts.googleapis.com
cdnjs.cloudflare.com
‘unsafe-inline’
JavaScript script-src *.kastatic.org
www.khanacademy.org
‘self’
cdn.rawgit.com
rawgit.com
ajax.googleapis.com
cdn.jsdelivr.net
cdnjs.cloudflare.com
‘unsafe-inline’
‘unsafe-eval’
iframes child-src *.kastatic.org
www.khanacademy.org
‘self’;