navigate-to
Content-Security-Policy Navigation

Overview

navigate-to was a directive meant to restrict the destination URLs a document may navigate to — covering link clicks, form submissions, window.location, window.open, and all navigation. However, its spec stalled and, amid privacy and implementation concerns, it was effectively abandoned and is unsupported in major browsers.

Details

Its design intent was broader than form-action (which controls only form submissions): to allowlist all navigation destinations, blocking page moves used for open redirects, phishing lures, or data exfiltration. For example, it was hoped navigate-to could block an XSS attempting location = 'https://evil.example/...' with credentials in tow.

But standardization halted due to privacy issues (redirect handling, cross-origin information exposure) and implementation complexity, and lacking interoperable browser support, it cannot be relied on for real defense. If you need to control navigation destinations, the realistic approach today is supported directives like form-action (forms) and frame-ancestors (embedding direction) plus application-level validation.

Syntax

Content-Security-Policy: navigate-to 'self' https://trusted.example.com

Notes

Related directives