The default-src Directive

The default-src directive is a fallback

You will often see default-src referred to as a fallback for other directives. For example, if you DO specify a default-src, but DO NOT specify a style-src directive, then the value you specified for default-src will be used for as the style-src policy.

For example if your Content-Security-Policy is specified as:

default-src 'self' cdn.example.com

Then the script-src and style-src policy will implicitly be 'self' cdn.example.com

Which directives fallback to default-src?

All CSP fetch directives fallback to the default-src directive. For example the following directives will fallback to default-src:

• script-src
• style-src
• font-src
• img-src
• connect-src
• worker-src
• object-src
• media-src
• manifest-src
• frame-src
• prefetch-src
• child-src

Which directives DO NOT fallback to default-src?

Directives that are not fetch directives do not fallback to the default source policy. Here are a few CSP directives that do not fallback to default-src:

• base-uri
• form-action
• frame-ancestors
• report-uri
• sandbox

Do the directives inherit from default-src?

If you specify the following policy:

default-src 'self';script-src js.example.com;

The script-src element does not inherit 'self' from the default-src, the script-src policy if specified overwrites the default-src policy for the given directive.

The policy for style-src, img-src, etc. would still fall back to the default policy ('self').

Therefor when you specify one of the CSP fetch directives, it doesn't inherit values from default-src, whatever you specify overrides default-src and becomes the policy for that directive.

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy