KA Hearth
A small blog where Matthias posted thoughts on things happening around Khan Academy. (Archived) About Me
What is the CSP
One of the most useful pieces of information you can have when trying to stretch the limits of Khan Academy’s live-editor is knowledge of the Content Security Policy (CSP). The CSP defines what domains you can load certain types of data from on Khan Academy. For information about what CSP is, see this post about making POST requests.
The content security policy is returned as one of the headers (content-security-policy) from https://www.kasandbox.org/computer-programming/exec/pjs. Last I checked, the CSP for both the webpage and PJS environments is what’s listed below:
| Data Type | CSP name | Valid values |
|---|---|---|
| Default | default-src | ‘none’ |
| Fonts | font-src | data: ‘self’ fonts.gstatic.com themes.googleusercontent.com *.bootstrapcdn.com |
| Images | img-src | *.kastatic.org www.khanacademy.org *.kasandbox.org chart.googleapis.com upload.wikimedia.org ka-perseus-images.s3.amazonaws.com ‘self’ |
| Videos & Audio | media-src | *.kastatic.org www.khanacademy.org *.kasandbox.org |
| CSS | style-src | *.kastatic.org www.khanacademy.org ‘self’ cdn.rawgit.com rawgit.com *.bootstrapcdn.com fonts.googleapis.com cdnjs.cloudflare.com ‘unsafe-inline’ |
| JavaScript | script-src | *.kastatic.org www.khanacademy.org ‘self’ cdn.rawgit.com rawgit.com ajax.googleapis.com cdn.jsdelivr.net cdnjs.cloudflare.com ‘unsafe-inline’ ‘unsafe-eval’ |
| iframes | child-src | *.kastatic.org www.khanacademy.org ‘self’; |