Content Security Policy (CSP)
Quick Reference Guide


The default-src Directive

The default-src Content Security Policy (CSP) directive allows you to specify the default or fallback resources that can be loaded (or fetched) on the page (such as script-src, or style-src, etc.)

The default-src directive is a fallback

You will often see default-src referred to as a fallback for other directives. For example, if you DO specify a default-src, but DO NOT specify a style-src directive, then the value you specified for default-src will be used for as the style-src policy.

For example if your Content-Security-Policy is specified as:

default-src 'self' cdn.example.com

Then the script-src policy will implicitly be 'self' cdn.example.com

Which directives fallback to default-src?

All CSP fetch directives fallback to the default-src directive. For example the following directives will fallback to default-src:

Which directives DO NOT fallback to default-src?

Directives that are not fetch directives do not fallback to the default source policy. Here are a few CSP directives that do not fallback to default-src:

Do the directives inherit from default-src?

If you specify the following policy:

default-src 'self';script-src js.example.com;

The script-src element does not inherit 'self' from the default-src, the script-src policy if specified overwrites the default-src policy for the given directive.

The policy for style-src, img-src, etc. would still fall back to the default policy ('self').