CentralCSP

manifest-src

manifest-src

manifest-src

The manifest-src directive specifies the sources from which the manifest can be loaded.

Recommended Values

  • 'self'

    Allows manifest files from the same origin

    Allows manifest files from the same origin

Explore detailed value definitions

Tips & Tricks

  • If manifest-src is not defined, the default-src directive will be used.

Examples

  • Allows manifest files from the same origin and a specific external site

    Content-Security-Policy: manifest-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
<link rel="manifest" href="/manifest.json">

<!-- allowed by https://example.com -->
<link rel="manifest" href="https://example.com/manifest.json">

    Blocked

    <!-- blocked as the domain is not authorized -->
<link rel="manifest" href="https://malicious.website.com/manifest.json">

Frequently Asked Questions

What is the manifest-src directive used for?

The manifest-src directive controls which web app manifests can be loaded by your application. Web app manifests are JSON files that provide metadata about a web application, such as icons, name, and display preferences when installed on devices.

Default Behavior

If manifest-src is not specified, the browser falls back to default-src for manifest loading permissions.

What are common values for manifest-src?

The most common value is 'self' which allows loading manifests only from your own domain. For Progressive Web Apps that need to load manifests from a CDN or different domain, you would specifically allow those domains. Using 'none' blocks all manifest files.

Security Note

Be cautious when allowing external manifest sources, as malicious manifests could potentially mislead users about your application.

How does manifest-src affect Progressive Web Apps (PWAs)?

manifest-src is crucial for PWAs as it controls where the web app manifest can be loaded from. If your manifest-src policy is too restrictive, it could prevent your PWA from properly installing or displaying installation prompts. Ensure your policy allows access to all required manifest resources.

PWA Best Practice

For most PWAs, setting manifest-src to 'self' is sufficient since manifests are typically served from the same origin as the application.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Certification

PCI DSS SAQ AISO 27001Penetration Test Report

Legal Terms

Terms of UsePrivacy policy

Contact

contact@cspcentral.com

CentralSaaS © 2025