media-src
Themedia-src
directive controls which sources can be used to load media content including <audio>
, <video>
, and <track>
elements in your web application. This directive is crucial for securing media content delivery and preventing unauthorized media sources.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended media-src configuration
Content-Security-Policy: media-src 'self';
Tips & Tricks
If media-src is not defined, the default-src directive will be used.
Using broad keywords like 'data:' or '*' is too permissive and may introduce security vulnerabilities. Use with caution.
Possible Values
'none'
: No media sources are allowed'self'
: Only media from the same origin is allowed- URLs: Specific domains (e.g.,
https://trusted-media.com
) - Schemes: Protocol schemes (e.g.,
https:
) - ⚠️
*
: Allows all sources (insecure)
Example Configurations
Example policy with multiple sources
CSP Header for media sources
Content-Security-Policy: media-src 'self' https://trusted-media.com;
Allowed
<!-- allowed by 'self' -->
<video src="/video.mp4"></video>
<!-- allowed by https://example.com -->
<video src="https://example.com/video.mp4"></video>
<!-- allowed by 'self' -->
<audio src="/audio.mp3"></audio>
<!-- allowed by https://example.com -->
<audio src="https://example.com/audio.mp3">
<track kind="subtitles" src="https://example.com/captions.vtt" srclang="en">
</audio>
Blocked
<!-- blocked as the domain is not authorized -->
<video src="https://malicious.file.com/video.mp4"></video>
<!-- blocked as the domain is not authorized -->
<audio src="https://unauthorized.com/audio.mp3"></audio>
<!-- blocked as the domain is not authorized -->
<audio src="/audio.mp3">
<track kind="subtitles" src="https://unauthorized.com/captions.vtt" srclang="en">
</audio>
Additional Information
- The
media-src
directive helps prevent unauthorized media content loading - If not specified, the policy falls back to
default-src
- Consider using HTTPS URLs for secure media delivery
- Carefully evaluate which media sources need to be allowed