Path: blob/main/files/en-us/web/http/headers/content-security-policy/default-src/index.md
6532 views
------{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) default-src directive serves as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. For each of the following directives that are absent, the user agent looks for the default-src directive and uses this value for it:
{{CSP("child-src")}}
{{CSP("connect-src")}}
{{CSP("font-src")}}
{{CSP("frame-src")}}
{{CSP("img-src")}}
{{CSP("manifest-src")}}
{{CSP("media-src")}}
{{CSP("object-src")}}
{{CSP("prefetch-src")}}
{{CSP("script-src")}}
{{CSP("script-src-elem")}}
{{CSP("script-src-attr")}}
{{CSP("style-src")}}
{{CSP("style-src-elem")}}
{{CSP("style-src-attr")}}
{{CSP("worker-src")}}
| CSP version | 1 |
|---|---|
| Directive type | {{Glossary("Fetch directive")}} |
Syntax
One or more sources can be allowed for the default-src policy:
Sources
<source> can be any one of the values listed in CSP Source Values.
Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a number of other directives).
Examples
No inheritance with default-src
If there are other directives specified, default-src does not influence them. The following header:
is the same as:
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
{{HTTPHeader("Content-Security-Policy")}}
CSP directives (https://www.w3.org/TR/CSP/#csp-directives):
{{Glossary("Fetch directive")}}
{{Glossary("Document directive")}}
{{Glossary("Navigation directive")}}
{{Glossary("Reporting directive")}}