Skip to main content
Reference

Fetch Directive Syntax

Back to reference Source on MDN

Fetch directives control where browsers may load resources from. In their simplest form they accept either a hard block or a source list. The source list syntax is shared by most CSP fetch directives, with a few directive-specific exceptions.

Core Rules
1
Use `none` to block the resource type entirely
When a fetch directive is set to `'none'`, the browser should block that kind of resource completely.
2
Use a source-expression list to allow approved sources
A source list can contain one or more source expressions. Browsers allow the resource when any entry matches.
3
Quote keywords, leave host and scheme sources unquoted
<host-source> and <scheme-source> are written without quotes. Keywords and hashes stay in single quotes.
4
Not every form applies everywhere
Different directives accept different subsets of the shared source-expression forms. Check the directive page when a keyword behaves differently.
Syntax Example
Content-Security-Policy: default-src 'self';
Content-Security-Policy: script-src 'self' https://cdn.example.com 'nonce-abc123';
Content-Security-Policy: img-src https://images.example.com;
The first directive blocks everything except the current origin. The second combines an origin allowlist with a nonce. The third uses a simple host source list.
Source Expression Forms
'none'
Blocks the resource type entirely.
<host-source>
Allows a matching host, optional port, and optional path.
<scheme-source>
Allows every origin that uses the named scheme, such as https:.
'self'
Allows the current origin.
'unsafe-inline'
Allows inline script or style content when the directive supports it.
'unsafe-hashes'
Allows matching hashed inline event handlers or style attributes where supported.
'unsafe-eval'
Allows string-based JavaScript or CSS evaluation APIs where supported.
'wasm-unsafe-eval'
Allows WebAssembly compilation in script contexts that support it.
'strict-dynamic'
Changes trust propagation so nonced or hashed scripts can load additional scripts.
'report-sample'
Adds a short source sample to violation reports for supported directives.
'nonce-<nonce_value>'
Allows a server-generated nonce value to authorize specific inline blocks.
'sha256-<hash_value>'
Allows a SHA-256 hash to authorize an exact inline block.
'sha384-<hash_value>'
Allows a SHA-384 hash to authorize an exact inline block.
'sha512-<hash_value>'
Allows a SHA-512 hash to authorize an exact inline block.
Fetch Directives That Use This Syntax
child-src connect-src default-src fenced-frame-src font-src frame-src img-src manifest-src media-src object-src prefetch-src script-src script-src-attr script-src-elem style-src style-src-attr style-src-elem worker-src
This page summarizes the shared fetch-directive syntax from MDN. For the exact directive-specific allowances, open the individual directive in the main reference.