Configure each directive below. Leave empty to omit from the policy.
Boolean directives
default-src
Fallback for other fetch directives. Sets the default policy for all resource types not explicitly specified.
script-src
Controls valid sources for JavaScript files and inline scripts.
style-src
Controls valid sources for stylesheets and inline styles.
img-src
Controls valid sources of images and favicons.
font-src
Controls valid sources for fonts loaded via @font-face.
connect-src
Controls URLs which can be loaded via fetch, XHR, WebSocket, and EventSource.
media-src
Controls valid sources for <audio> and <video> elements.
object-src
Controls valid sources for <object>, <embed>, and <applet> elements.
frame-src
Controls valid sources for <frame> and <iframe> elements.
worker-src
Controls valid sources for Worker, SharedWorker, and ServiceWorker scripts.
Common values
'self'Same origin only'none'Block everything'unsafe-inline'Allow inline scripts/styles (avoid if possible)'unsafe-eval'Allow eval() (avoid if possible)*Allow all sources