---

What does self mean in a CSP Policy?

When you encounter the self keyword in a Content-Security-Policy header directive it is an alias for the same origin. The same origin includes the scheme (http:// or https://) as well as the domain name. So if you type the following into the address bar of a browser:

https://app.example.com/sub-app/

The origin is: https://app.example.com

CSP Self Example

Suppose you are setting a Content-Security-Policy header for the site: https://app.example.com

If you set the following header:

Content-Security-Policy: default-src 'none'; img-src 'self';

✔️ Allows

The following are allowed by the CSP 'self' keyword in the policy above:

<img src="/images/logo.png">
<img src="https://app.example.com/images/logo.png">

❌ Blocks

The following would be blocked by the policy.

<img src="https://other-app.example.com/images/logo.png">

If we wanted to allow images to load from other-app.example.com, then we need to allow it in our CSP policy:

Content-Security-Policy: default-src 'none'; img-src 'self' https://other-app.example.com;

If you're not sure what default-src or img-src are, then check out our CSP Reference Guide for details.

Why is CSP self not working?

Here are some reasons why your CSP self keyword is not working:

• You may be using self and not 'self' the single quotes are required.
• Missing a semi-colon in your CSP policy?
• Make sure you are not trying to cross schemes http / https in your CSP.

Browser Support for self

The CSP self source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).

Internet Explorer 11 and below do not support the CSP self keyword.

---