Content Security Policy (CSP)
Quick Reference Guide


The self Source List Keyword

The self Content Security Policy (CSP) keyword is an alias for the same origin of the current document.

What does self mean in a CSP Policy?

When you encounter the self keyword in a Content-Security-Policy header directive it is an alias for thet same origin. The same origin includes the scheme (http:// or https://) as well as the domain name. So if you type the following into the address bar of a browser:

https://app.example.com/sub-app/

The origin is: https://app.example.com

CSP Self Example

Suppose you are setting a Content-Security-Policy header for the site: https://app.example.com

If you set the following header:

Content-Security-Policy: default-src 'none'; img-src 'self';

✔️ Allows

The following are allowed by the CSP 'self' keyword in the policy above:

<img src="/images/logo.png">
<img src="https://app.example.com/images/logo.png">

❌ Blocks

The following would be blocked by the policy.

<img src="https://other-app.example.com/images/logo.png">

If we wanted to allow images to load from other-app.example.com, then we need to allow it in our CSP policy:

Content-Security-Policy: default-src 'none'; img-src 'self' https://other-app.example.com;

If you're not sure what default-src or img-src are, then check out our CSP Reference Guide for details.

Why is CSP self not working?

Here are some reasons why your CSP self keyword is not working:

Browser Support for self

CSP Level 1


Supported On:


Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)


Not Supported On:


Internet Explorer

The CSP self source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).


Internet Explorer 11 and below do not support the CSP self keyword.