The HTTP Content-Security-Policy
base-uri
directive restricts the URLs which can be used in a document's <base>
element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base>
element.
CSP version | 2 |
---|---|
Directive type | Document directive |
default-src fallback | No. Not setting this allows anything. |
One or more sources can be allowed for the base-uri policy:
Content-Security-Policy: base-uri <source>; Content-Security-Policy: base-uri <source> <source>;
<source> can be one of the following:
'*'
), and you may use a wildcard (again, '*'
) as the port number, indicating that all legal ports are valid for the source.http://*.example.com
: Matches all attempts to load from any subdomain of example.com using the http:
URL scheme.mail.example.com:443
: Matches all attempts to access port 443 on mail.example.com.https://store.example.com
: Matches all attempts to access store.example.com using https:
.data:
Allows data:
URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:
Allows mediastream:
URIs to be used as a content source.blob:
Allows blob:
URIs to be used as a content source.filesystem:
Allows filesystem:
URIs to be used as a content source.'self'
blob
and filesystem
from source directives. Sites needing to allow these content types can specify them using the Data attribute.'unsafe-inline'
<script>
elements, javascript:
URLs, inline event handlers, and inline <style>
elements. You must include the single quotes.'unsafe-eval'
eval()
and similar methods for creating code from strings. You must include the single quotes.'none'
script-src
for external scripts.strict-dynamic
source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self'
or 'unsafe-inline'
will be ignored. See script-src for an example.<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
<IfModule mod_headers.c> Header set Content-Security-Policy "base-uri 'self'"; </IfModule>
add_header Content-Security-Policy "base-uri 'self';"
Given your domain isn't example.com, using a <base>
element with an href set to example.com will result in a CSP violation.
<meta http-equiv="Content-Security-Policy" content="base-uri 'self'"> <base href="http://example.com/"> // Error: Refused to set the document's base URI to 'http://example.com/' // because it violates the following Content Security Policy // directive: "base-uri 'self'"
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'base-uri' in that specification. | Editor's Draft | No changes. |
Content Security Policy Level 2 The definition of 'base-uri' in that specification. | Recommendation | Initial definition. |
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari |
---|---|---|---|---|---|---|
Basic support | 40 | No | 35 | No | 27 | 10 |
Feature | Android webview | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
---|---|---|---|---|---|---|---|
Basic support | Yes | Yes | No | 35 | No | ? | 9.3 |
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri