noneSource List Keyword
noneContent Security Policy (CSP) keyword is an alias for the same origin of the current document.
nonemean in a CSP Policy?
When you encounter the
none keyword in a
Content-Security-Policy header directive it means that no resources are allowed to load. So if for example you have the following policy:
Content-Security-Policy: img-src 'none'
Then images will be prevented from loading on the page.
It is not a bad idea to set
default-src 'none' to block all fetch directives, and then add in other directives as needed.
If you don't want to set
default-src to none then you might be able to set directives like
One reason why a
none keyword might not work, if you have defined it in a
default-src directive, but also supplied another directive to override it. For example if you have the policy:
default-src 'none'; img-src 'self';
Images would be allowed to load from the same origin (self), because the
img-src directive overrides the value for the
none source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).
Internet Explorer 11 and below do not support the CSP
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.