"Permitted Hosts and Domains" option is a part of the Content Security Policy HTTP Header.
By whitelisting sources of approved content, you can prevent the browser from loading malicious assets to your site.
How to whitelist sources of the approved content
To whitelist, you just need to add the line(s) into "Permitted Hosts and Domains" option field. (See the screenshots below)
The line you add will configure your site to only load scripts, images, style sheets etc. from that host/domain.
For example, if you want browser to load content from your domain only, and your site URL is http://yourdomain.com, add the line "yourdomain.com" (you should remove prefix http://. Otherwise, it will be removed automatically)
On the other hand, if your site URL is https://yourdomain.com, add line with the "https://" prefix. (You can force only HTTPS for a given domain by prefixing it with "https://")
Note: If you allow HTTP it automatically allows HTTPS, but not vice versa.
Important: If you are unsure what domain/host to whitelist, use * . This will be your valid source and the content will be loaded from everywhere, without restriction.
We also recommend you to read:
- Your site content loading is blocked - what should you do?
- How to secure your site(s) with Content Security Policy HTTP Header
- you can also read a further summary on this over at html5rocks here