CentralCSP
Register

media-src

The media-src directive controls which sources can be used to load media content including <audio>, <video>, and <track> elements in your web application. This directive is crucial for securing media content delivery and preventing unauthorized media sources.

Recommended Values

  • 'self' Allows the resource to be loaded and executed

  • https://subdomain.domain.com/path Allows the resource to be loaded and executed

Recommended media-src configuration

Content-Security-Policy: media-src 'self';

Tips & Tricks

  • If media-src is not defined, the default-src directive will be used.

  • Using broad keywords like 'data:' or '*' is too permissive and may introduce security vulnerabilities. Use with caution.

Possible Values

  • 'none': No media sources are allowed
  • 'self': Only media from the same origin is allowed
  • URLs: Specific domains (e.g., https://trusted-media.com)
  • Schemes: Protocol schemes (e.g., https:)
  • ⚠️ *: Allows all sources (insecure)

Example Configurations

Example policy with multiple sources

CSP Header for media sources

Content-Security-Policy: media-src 'self' https://trusted-media.com;

Allowed

<!-- allowed by 'self' -->
<video src="/video.mp4"></video>

<!-- allowed by https://example.com -->
<video src="https://example.com/video.mp4"></video>

<!-- allowed by 'self' -->
<audio src="/audio.mp3"></audio>

<!-- allowed by https://example.com -->
<audio src="https://example.com/audio.mp3">
<track kind="subtitles" src="https://example.com/captions.vtt" srclang="en">
</audio>

Blocked

<!-- blocked as the domain is not authorized -->
<video src="https://malicious.file.com/video.mp4"></video>

<!-- blocked as the domain is not authorized -->
<audio src="https://unauthorized.com/audio.mp3"></audio>

<!-- blocked as the domain is not authorized -->
<audio src="/audio.mp3">
<track kind="subtitles" src="https://unauthorized.com/captions.vtt" srclang="en">
</audio>

Additional Information

  • The media-src directive helps prevent unauthorized media content loading
  • If not specified, the policy falls back to default-src
  • Consider using HTTPS URLs for secure media delivery
  • Carefully evaluate which media sources need to be allowed

Related Resources

External Articles

Related Documentation Sections

Previous doc

manifest-src

Next doc

object-src