Content Security Policy (CSP)
Quick Reference Guide

The self Source List Keyword

The self Content Security Policy (CSP) keyword is an alias for the same origin of the current document.

What does self mean in a CSP Policy?

When you encounter the self keyword in a Content-Security-Policy header directive it is an alias for the same origin. The same origin includes the scheme (http:// or https://) as well as the domain name. So if you type the following into the address bar of a browser:

The origin is:

CSP Self Example

Suppose you are setting a Content-Security-Policy header for the site:

If you set the following header:

Content-Security-Policy: default-src 'none'; img-src 'self';

✔️ Allows

The following are allowed by the CSP 'self' keyword in the policy above:

<img src="/images/logo.png">
<img src="">

❌ Blocks

The following would be blocked by the policy.

<img src="">

If we wanted to allow images to load from, then we need to allow it in our CSP policy:

Content-Security-Policy: default-src 'none'; img-src 'self';

If you're not sure what default-src or img-src are, then check out our CSP Reference Guide for details.

Why is CSP self not working?

Here are some reasons why your CSP self keyword is not working:

Browser Support for self

CSP Level 1

Supported On:

Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

Not Supported On:

Internet Explorer

The CSP self source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).

Internet Explorer 11 and below do not support the CSP self keyword.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.