selfSource List Keyword
selfContent Security Policy (CSP) keyword is an alias for the same origin of the current document.
selfmean in a CSP Policy?
When you encounter the
self keyword in a
Content-Security-Policy header directive it is an alias for thet same origin. The same origin includes the scheme (http:// or https://) as well as the domain name. So if you type the following into the address bar of a browser:
The origin is:
Suppose you are setting a
Content-Security-Policy header for the site:
If you set the following header:
Content-Security-Policy: default-src 'none'; img-src 'self';
The following are allowed by the CSP
'self' keyword in the policy above:
<img src="/images/logo.png"> <img src="https://app.example.com/images/logo.png">
The following would be blocked by the policy.
If we wanted to allow images to load from
other-app.example.com, then we need to allow it in our CSP policy:
Content-Security-Policy: default-src 'none'; img-src 'self' https://other-app.example.com;
Here are some reasons why your CSP
self keyword is not working:
'self'the single quotes are required.
self source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).
Internet Explorer 11 and below do not support the CSP