Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
mohamedkhallouq
GitHub Repository: mohamedkhallouq/content
Path: blob/main/files/en-us/web/http/headers/content-security-policy/default-src/index.md
6532 views
---
title: "CSP: default-src" slug: Web/HTTP/Headers/Content-Security-Policy/default-src browser-compat: http.headers.Content-Security-Policy.default-src
---

{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) default-src directive serves as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. For each of the following directives that are absent, the user agent looks for the default-src directive and uses this value for it:

  • {{CSP("child-src")}}

  • {{CSP("connect-src")}}

  • {{CSP("font-src")}}

  • {{CSP("frame-src")}}

  • {{CSP("img-src")}}

  • {{CSP("manifest-src")}}

  • {{CSP("media-src")}}

  • {{CSP("object-src")}}

  • {{CSP("prefetch-src")}}

  • {{CSP("script-src")}}

  • {{CSP("script-src-elem")}}

  • {{CSP("script-src-attr")}}

  • {{CSP("style-src")}}

  • {{CSP("style-src-elem")}}

  • {{CSP("style-src-attr")}}

  • {{CSP("worker-src")}}

CSP version 1
Directive type {{Glossary("Fetch directive")}}

Syntax

One or more sources can be allowed for the default-src policy:

Content-Security-Policy: default-src <source>; Content-Security-Policy: default-src <source> <source>;

Sources

<source> can be any one of the values listed in CSP Source Values.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a number of other directives).

Examples

No inheritance with default-src

If there are other directives specified, default-src does not influence them. The following header:

Content-Security-Policy: default-src 'self'; script-src https://example.com

is the same as:

Content-Security-Policy: connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'self'; script-src https://example.com; style-src 'self'; worker-src 'self'

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also