default-src as Fallback Directive
Understand how default-src acts as the fallback for all resource-type directives in CSP. Learn when to rely on it and when to override it with specific directives.
Detailed Explanation
Understanding default-src
The default-src directive is the cornerstone of every Content Security Policy. It serves as the fallback for any resource-type directive that is not explicitly set. If you only define default-src, it applies to scripts, styles, images, fonts, connections, frames, media, objects, and more.
How Fallback Works
When the browser evaluates a resource request, it checks for a matching specific directive first. If none is found, it falls back to default-src:
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com
In this policy:
- Scripts are governed by
script-src— allowed from'self'andhttps://cdn.example.com - Styles fall back to
default-src— allowed from'self'only - Images fall back to
default-src— allowed from'self'only - All other resource types also fall back to
default-src
Directives That Do NOT Fall Back to default-src
Some directives have their own independent defaults and are not covered by default-src:
base-uri— restricts URLs for the<base>elementform-action— restricts form submission targetsframe-ancestors— controls who can embed your page (similar to X-Frame-Options)report-uri/report-to— violation reporting endpointssandbox— applies sandbox flags to the pageupgrade-insecure-requests— upgrades HTTP to HTTPS
These must be set explicitly if you want to restrict them.
Common Patterns
Restrictive base with selective overrides:
default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'
Starting with default-src 'none' blocks everything by default, then each resource type is individually whitelisted. This is considered the most secure approach.
Permissive base with targeted restrictions:
default-src 'self'; frame-src 'none'; object-src 'none'
This allows same-origin resources broadly but explicitly blocks iframes and plugins.
Best Practice
Always define default-src as the first directive in your policy. Start with 'none' or 'self' and add specific directives only for resource types that need broader permissions.
Use Case
Understanding default-src is essential when designing any CSP. When auditing an existing policy, checking what default-src is set to immediately tells you the baseline restriction level. When building a new policy, choosing between default-src 'none' (strict) and default-src 'self' (moderate) sets the foundation that all other directives build upon.