mdn · wbamberg · Feb 1, 2022 · Jan 31, 2022 · Jan 31, 2022 · Feb 1, 2022
@@ -32,18 +32,18 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest
 
 ## Syntax
 
-One or more*sources* can be allowed for the base-uri policy:
+One or more *sources* can be allowed for the base-uri policy:
 
-```
+```http
 Content-Security-Policy: base-uri <source>;
 Content-Security-Policy: base-uri <source> <source>;
 ```
 
 ### Sources
 
-While this directive uses the same arguments as other CSP directives, some of them don’t make sense for \`\<base>\`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`
+This directive uses most of the same source values for arguments as other CSP directives: [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
+Note however that some of the values don't make sense for `base-uri`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`.
 
 ## Examples
 

@@ -43,24 +43,26 @@ network errors by the user agent.
 
 ## Syntax
 
-One or more sources can be allowed for the child-src policy:
+One or more sources can be allowed for the `child-src` policy:
 
-```
+```http
 Content-Security-Policy: child-src <source>;
 Content-Security-Policy: child-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: child-src https://example.com/
 ```
 

@@ -52,22 +52,24 @@ loaded using script interfaces. The APIs that are restricted are:
 
 One or more sources can be allowed for the connect-src policy:
 
-```
+```http
 Content-Security-Policy: connect-src <source>;
 Content-Security-Policy: connect-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: connect-src https://example.com/
 ```
 

@@ -58,49 +58,9 @@ Content-Security-Policy: default-src <source> <source>;
 
 ### Sources
 
-\<source> can be one of the following:
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-- `<host-source>`
-
-  - : Internet hosts by name or IP address, as well as an optional [URL scheme](/en-US/docs/Learn/Common_questions/What_is_a_URL) and/or port number. The site's address may include an optional leading wildcard (the asterisk character, `'*'`), and you may use a wildcard (again, `'*'`) as the port number, indicating that all legal ports are valid for the source.
-    Examples:
-
-    - `http://*.example.com`: Matches all attempts to load from any subdomain of example.com using the `http:` URL scheme.
-    - `mail.example.com:443`: Matches all attempts to access port 443 on mail.example.com.
-    - `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
-    - `*.example.com`: Matches all attempts to load from any subdomain of example.com using the current protocol.
-
-- `<scheme-source>`
-
-  - : A scheme such as `http:` or `https:`. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
-
-    - `data:` Allows [`data:` URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) to be used as a content source. _This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts._
-    - `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Streams_API) to be used as a content source.
-    - `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
-    - `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.
-
-- `'self'`
-  - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. Sites needing to allow these content types can specify them using the Data attribute.
-- `'unsafe-eval'`
-  - : Allows the use of `eval()` and similar methods for creating code from strings. You must include the single quotes.
-- `'unsafe-hashes'`
-  - : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or `javascript:` URLs, this is a safer method than using the `unsafe-inline` expression.
-- `'unsafe-inline'`
-  - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, `javascript:` URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required.
-- `'none'`
-  - : Refers to the empty set; that is, no URLs match. The single quotes are required.
-- `'nonce-<base64-value>'`
-
-  - : An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.
-
-    > **Note:** The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).
-
-- `'<hash-algorithm>-<base64-value>'`
-  - : A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the \<script> or \<style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. In CSP 2.0, this is applied only to inline scripts. CSP 3.0 allows it in the case of `script-src` for external scripts.
-- `'strict-dynamic'`
-  - : The `strict-dynamic` source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as `'self'` or `'unsafe-inline'` are ignored. See [script-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic) for an example.
-- `'report-sample'`
-  - : Requires a sample of the violating code to be included in the violation report.
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 

@@ -42,22 +42,24 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.
 
 One or more sources can be allowed for the `font-src` policy:
 
-```
+```http
 Content-Security-Policy: font-src <source>;
 Content-Security-Policy: font-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: font-src https://example.com/
 ```
 

@@ -39,14 +39,16 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc
 
 One or more sources can be set for the `form-action` policy:
 
-```
+```http
 Content-Security-Policy: form-action <source>;
 Content-Security-Policy: form-action <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 

@@ -45,22 +45,24 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and
 
 One or more sources can be allowed for the `frame-src` policy:
 
-```
+```http
 Content-Security-Policy: frame-src <source>;
 Content-Security-Policy: frame-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: frame-src https://example.com/
 ```
 

@@ -15,9 +15,7 @@ browser-compat: http.headers.csp.Content-Security-Policy.img-src
 ---
 {{HTTPSidebar}}
 
-The HTTP {{HTTPHeader("Content-Security-Policy")}}
-**`img-src`** directive specifies valid sources of images and
-favicons.
+The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive specifies valid sources of images and favicons.
 
 <table class="properties">
   <tbody>
@@ -43,22 +41,24 @@ favicons.
 
 One or more sources can be allowed for the `img-src` policy:
 
-```
+```http
 Content-Security-Policy: img-src <source>;
 Content-Security-Policy: img-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: img-src https://example.com/
 ```
 

@@ -46,12 +46,11 @@ where `<policy-directive>` consists of:
 
 ### Fetch directives
 
-Fetch directives control the locations from which certain resource types may be loaded.
+{{Glossary("Fetch directive","Fetch directives")}} control the locations from which certain resource types may be loaded.
 
 - {{CSP("child-src")}}
 
-  - : Defines the valid sources for [web
-    workers](/en-US/docs/Web/API/Web_Workers_API) and nested browsing contexts loaded using elements such as
+  - : Defines the valid sources for [web workers](/en-US/docs/Web/API/Web_Workers_API) and nested browsing contexts loaded using elements such as
     {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.
 
     > **Warning:** Instead of **`child-src`**,
@@ -193,16 +192,19 @@ Reporting directives control the reporting process of CSP violations. See also t
 
 ## Values
 
+An overview of the allowed values are listed below.
+For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) and the documentation for individual directives.
+
 ### Keyword values
 
 - `none`
   - : Won't allow loading of any resources.
 - `self`
   - : Only allow resources from the current origin.
 - `strict-dynamic` {{experimental_inline}}
-  - : TBD
+  - : The trust granted to a script in the page due to an accompanying nonce or hash is extended to the scripts it loads.
 - `report-sample` {{experimental_inline}}
-  - : TBD
+  - : Require a sample of the violating code to be included in the violation report.
 
 ### Unsafe keyword values
 
@@ -211,7 +213,7 @@ Reporting directives control the reporting process of CSP violations. See also t
 - `unsafe-eval`
   - : Allow use of dynamic code evaluation such as {{jsxref("Global_Objects/eval", "eval")}}, {{domxref("Window.setImmediate", "setImmediate")}}{{non-standard_inline}}, and `window.execScript` {{non-standard_inline}}.
 - `unsafe-hashes` {{experimental_inline}}
-  - : TBD
+  - : Allows enabling specific inline event handlers.
 - `unsafe-allow-redirects` {{experimental_inline}}
   - : TBD
 

@@ -44,22 +44,24 @@ to the resource.
 
 One or more sources can be allowed for the `manifest-src` policy:
 
-```
+```http
 Content-Security-Policy: manifest-src <source>;
 Content-Security-Policy: manifest-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: manifest-src https://example.com/
 ```
 

@@ -43,22 +43,24 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.
 
 One or more sources can be allowed for the `media-src` policy:
 
-```
+```http
 Content-Security-Policy: media-src <source>;
 Content-Security-Policy: media-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: media-src https://example.com/
 ```
 

@@ -46,14 +46,16 @@ on what this document is allowed to navigate to.
 
 One or more sources can be set for the `navigate-to` policy:
 
-```
+```http
 Content-Security-Policy: navigate-to <source>;
 Content-Security-Policy: navigate-to <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 

@@ -51,24 +51,26 @@ To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, an
 
 ## Syntax
 
-One or more sources can be allowed for the object-src policy:
+One or more sources can be allowed for the `object-src` policy:
 
-```
+```http
 Content-Security-Policy: object-src <source>;
 Content-Security-Policy: object-src <source> <source>;
 ```
 
 ### Sources
 
-{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
+`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+
+Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
 
 ## Examples
 
 ### Violation cases
 
 Given this CSP header:
 
-```
+```http
 Content-Security-Policy: object-src https://example.com/
 ```