To complete the policy spectrum alongside the permissive modifications, here is a proposal for a Strict Secure Mode (secure.json). This baseline provides maximum hardening by implementing a "default-deny" approach to structural and executable subresources.
- Strict Secure Mode (secure)
This profile disables all third-party scripting, frame embedding, and plugin execution by default, isolating the browser to process strictly static asset types (styles, basic images, and local fonts).
{
"id": 103,
"priority": 2,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Content-Security-Policy",
"operation": "append",
"value": "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https:; frame-src 'none'; object-src 'none'; base-uri 'none';"
}
]
},
"condition": {
"resourceTypes": ["main_frame", "sub_frame"]
}
}
Key Technical Aspects of this Policy:
default-src 'none';: Completely shuts down any network connection or fetching mechanism not explicitly whitelisted later in the directive.
script-src 'self';: Strips out all inline scripts and third-party remote scripts, eliminating the vast majority of XSS vulnerabilities and tracking networks.
frame-src 'none'; object-src 'none';: Neutralizes UI redressing, clickjacking, and browser component/plugin exploitation vectors entirely.
Visual Fallbacks: It leaves style-src and img-src partially open for HTTPS endpoints so that basic text layouts and layouts don't completely collapse, allowing reading-only tasks on untrusted websites.
Offering these three defaults (permissive-plus, permissive-plus-plus, and secure) would give matrix³ a robust, comprehensive security ladder right out of the box.
To complete the policy spectrum alongside the permissive modifications, here is a proposal for a Strict Secure Mode (secure.json). This baseline provides maximum hardening by implementing a "default-deny" approach to structural and executable subresources.
This profile disables all third-party scripting, frame embedding, and plugin execution by default, isolating the browser to process strictly static asset types (styles, basic images, and local fonts).
{
"id": 103,
"priority": 2,
"action": {
"type": "modifyHeaders",
"responseHeaders": [
{
"header": "Content-Security-Policy",
"operation": "append",
"value": "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https:; frame-src 'none'; object-src 'none'; base-uri 'none';"
}
]
},
"condition": {
"resourceTypes": ["main_frame", "sub_frame"]
}
}
Key Technical Aspects of this Policy:
default-src 'none';: Completely shuts down any network connection or fetching mechanism not explicitly whitelisted later in the directive.
script-src 'self';: Strips out all inline scripts and third-party remote scripts, eliminating the vast majority of XSS vulnerabilities and tracking networks.
frame-src 'none'; object-src 'none';: Neutralizes UI redressing, clickjacking, and browser component/plugin exploitation vectors entirely.
Visual Fallbacks: It leaves style-src and img-src partially open for HTTPS endpoints so that basic text layouts and layouts don't completely collapse, allowing reading-only tasks on untrusted websites.
Offering these three defaults (permissive-plus, permissive-plus-plus, and secure) would give matrix³ a robust, comprehensive security ladder right out of the box.