base-uri
Thebase-uri
directive restricts the URLs which can be used in a document's <base>
element. This directive helps prevent attackers from changing the base URL, which could redirect relative URLs to malicious sites. If this directive is absent, the user agent will use the value in the <base>
element, potentially allowing any URI to be used.
Recommended Values
'self' Restricts base URLs to the same origin as the document
Recommended base-uri configuration
Content-Security-Policy: base-uri 'self';
Tips & Tricks
unsafe-inline & strict-dynamic does not apply to base-uri
If not specified, any URI can be used in the <base> element, which could potentially be exploited.
Possible Values
'self'
: Only base URLs from the same origin are allowed- URLs: Specific domains (e.g.,
https://trusted-domain.com
) - Schemes: Protocol schemes (e.g.,
https:
)
Example Configurations
Restricts base element to same origin
Restricts base element to same origin
Content-Security-Policy: base-uri 'self';
Allowed
<base href="https://mywebsite.com/">
Blocked
<base href="https://otherwebsite.com/">
Additional Information
- The
base-uri
directive is important for controlling the base URL used for relative URLs in your document - It helps prevent attackers from manipulating the base URL to redirect requests to malicious endpoints
- Using
'self'
is recommended as it ensures base URLs remain within your trusted domain