CSP fetch directives are used in a Content-Security-Policy header and control locations from which certain resource types may be loaded. For instance, script-src allows developers to allow trusted sources of script to execute on a page, while font-src controls the sources of web fonts.

All fetch directives fall back to default-src. That means, if a fetch directive is absent in the CSP header, the user agent will look for the default-src directive.

List of CSP fetch directives

child-src
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

Instead of child-src, authors who wish to regulate nested browsing contexts and workers should use the frame-src and worker-src directives, respectively.

connect-src
Restricts the URLs which can be loaded using script interfaces
default-src
Serves as a fallback for the other fetch directives.
font-src
Specifies valid sources for fonts loaded using @font-face.
frame-src
Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
img-src
Specifies valid sources of images and favicons.
manifest-src
Specifies valid sources of application manifest files.
media-src
Specifies valid sources for loading media using the <audio> , <video> and <track> elements.
object-src
Specifies valid sources for the <object>, <embed>, and <applet> elements.
Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren't recieving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible).
prefetch-src
Specifies valid sources to be prefetched or prerendered.
script-src
Specifies valid sources for JavaScript.
style-src
Specifies valid sources for stylesheets.
webrtc-src
Specifies valid sources for WebRTC connections.
worker-src
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

Document Tags and Contributors

Tags: 
Contributors to this page: bershanskiy, mfuji09, Sheppy, mdnwebdocs-bot, Malvoz, fscholz
Last updated by: bershanskiy,