Content Security Policy (CSP)
Quick Reference Guide

The default-src Directive

The default-src Content Security Policy (CSP) directive allows you to specify the default or fallback resources that can be loaded (or fetched) on the page (such as script-src, or style-src, etc.)

The default-src directive is a fallback

You will often see default-src referred to as a fallback for other directives. For example, if you DO specify a default-src, but DO NOT specify a style-src directive, then the value you specified for default-src will be used for as the style-src policy.

For example if your Content-Security-Policy is specified as:

default-src 'self'

Then the script-src and style-src policy will implicitly be 'self'

Which directives fallback to default-src?

All CSP fetch directives fallback to the default-src directive. For example the following directives will fallback to default-src:

Which directives DO NOT fallback to default-src?

Directives that are not fetch directives do not fallback to the default source policy. Here are a few CSP directives that do not fallback to default-src:

Do the directives inherit from default-src?

If you specify the following policy:

default-src 'self';script-src;

The script-src element does not inherit 'self' from the default-src, the script-src policy if specified overwrites the default-src policy for the given directive.

The policy for style-src, img-src, etc. would still fall back to the default policy ('self').

Therefor when you specify one of the CSP fetch directives, it doesn't inherit values from default-src, whatever you specify overrides default-src and becomes the policy for that directive.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.