Content Security Policy (CSP)
Quick Reference Guide

The CSP none Source List Keyword

The none Content Security Policy (CSP) keyword is an alias for the same origin of the current document.

What does none mean in a CSP Policy?

When you encounter the none keyword in a Content-Security-Policy header directive it means that no resources are allowed to load. So if for example you have the following policy:

Content-Security-Policy: img-src 'none'

Then images will be prevented from loading on the page.

What directives should I set to none?

It is not a bad idea to set default-src 'none' to block all fetch directives, and then add in other directives as needed.

If you don't want to set default-src to none then you might be able to set directives like worker-src or object-src to none.

Why is CSP none not working?

One reason why a none keyword might not work, if you have defined it in a default-src directive, but also supplied another directive to override it. For example if you have the policy:

default-src 'none'; img-src 'self';

Images would be allowed to load from the same origin (self), because the img-src directive overrides the value for the default-src directive.

Browser Support for none

CSP Level 1

Supported On:

Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

Not Supported On:

Internet Explorer

The CSP none source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).

Internet Explorer 11 and below do not support the CSP none keyword.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.