media-src
media-src
media-src
The media-src directive specifies the sources from which media can be loaded such as <audio>, <track> and <video>.
Recommended Values
'self'
Allows media from the same origin
Allows media from the same origin
https://subdomain.domain.com
Allows media from a specific external site
Allows media from a specific external site
Explore detailed value definitions
Tips & Tricks
If media-src is not defined, the default-src directive will be used.
Examples
Allows media from the same origin and a specific external site
Content-Security-Policy: media-src 'self' https://example.com;Allowed
<!-- allowed by 'self' --> <video src='/video.mp4'></video> <!-- allowed by https://example.com --> <video src='https://example.com/video.mp4'></video> <!-- allowed by 'self' --> <audio src='/audio.mp3'></audio> <!-- allowed by https://example.com --> <audio src='https://example.com/audio.mp3'> <track kind='subtitles' src='https://example.com/captions.vtt' srclang='en'> </audio>Blocked
<!-- blocked as the domain is not authorized --> <video src='https://malicious.file.com/video.mp4'></video> <!-- blocked as the domain is not authorized --> <audio src='https://unauthorized.com/audio.mp3'></audio> <!-- blocked as the domain is not authorized --> <audio src='/audio.mp3'> <track kind='subtitles' src='https://unauthorized.com/captions.vtt' srclang='en'> </audio>
Frequently Asked Questions
What is the media-src directive used for?
The media-src directive controls which sources can load media content like audio and video elements (<audio>, <video>) in your web application. It helps prevent unauthorized media content from being loaded and played on your site.
Default Behavior
If media-src is not specified, the browser falls back to default-src for media loading permissions.
What are common values for media-src?
Common values include 'self' to allow media only from your domain, specific domains like trusted CDNs or media hosting services, and 'none' to block all media. For example, you might allow your own domain and a video hosting service: media-src 'self' https://videos.example.com
Security Note
Be careful when allowing media from external sources. Malicious media files could potentially exploit vulnerabilities in media players.
How does media-src affect streaming content?
media-src affects both direct media files and streaming content. For streaming applications, you need to ensure your policy allows access to your streaming servers and any related media resources. This includes both the initial media files and any dynamically loaded content
Streaming Best Practice
When implementing streaming, ensure your media-src policy includes all required domains for your media delivery network and any fall back servers.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now