Revision 1143127 of CSP: base-uri

  • Revision slug: Web/HTTP/Headers/Content-Security-Policy/base-uri
  • Revision title: CSP: base-uri
  • Revision id: 1143127
  • Created:
  • Creator: fscholz
  • Is current revision? Yes
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} base-uri directive restricts the URLs which can be used in a document's {{HTMLElement("base")}} element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the {{HTMLElement("base")}} element.

CSP version 2
Directive type {{Glossary("Document directive")}}
{{CSP("default-src")}} fallback No. Not setting this allows anything.

Syntax

One or more sources can be allowed for the base-uri policy:

Content-Security-Policy: base-uri <source>;
Content-Security-Policy: base-uri <source> <source>;

Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}

Examples

Meta tag configuration

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">

Apache configuration

<IfModule mod_headers.c> 
Header set Content-Security-Policy "base-uri 'self';
</IfModule>

Nginx configuration

add_header Content-Security-Policy "base-uri 'self';"

Violation case

Given your domain isn't example.com, using a {{HTMLElement("base")}} element with an href set to example.com will result in a CSP violation.

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
<base href="http://example.com/">

// Error: Refused to set the document's base URI to 'http://example.com/' 
// because it violates the following Content Security Policy 
// directive: "base-uri 'self'"

Specifications

Specification Status Comment
{{specName("CSP 3.0", "#directive-base-uri", "base-uri")}} {{Spec2('CSP 3.0')}} No changes.
{{specName("CSP 1.1", "#directive-base-uri", "base-uri")}} {{Spec2('CSP 1.1')}} Initial definition.

Browser compatibility

{{Compat("http/headers/content-security-policy", "base-uri")}}

See also

  • {{HTTPheader("Content-Security-Policy")}}
  • {{HTMLElement("base")}}
  • {{domxref("Node.baseURI")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} <strong><code>base-uri</code></strong> directive restricts the URLs which can be used in a document's {{HTMLElement("base")}} element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the {{HTMLElement("base")}} element.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">CSP version</th>
   <td>2</td>
  </tr>
  <tr>
   <th scope="row">Directive type</th>
   <td>{{Glossary("Document directive")}}</td>
  </tr>
  <tr>
   <th scope="row">{{CSP("default-src")}} fallback</th>
   <td>No. Not setting this allows anything.</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<p>One or more sources can be allowed for the base-uri policy:</p>

<pre class="syntaxbox">
Content-Security-Policy: base-uri &lt;source&gt;;
Content-Security-Policy: base-uri &lt;source&gt; &lt;source&gt;;
</pre>

<h3 id="Sources">Sources</h3>

<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>

<h2 id="Examples">Examples</h2>

<h3 id="Meta_tag_configuration">Meta tag configuration</h3>

<pre class="brush: html">
&lt;meta http-equiv="Content-Security-Policy" content="base-uri 'self'"&gt;</pre>

<h3 id="Apache_configuration">Apache configuration</h3>

<pre class="brush: bash">
&lt;IfModule mod_headers.c&gt; 
Header set Content-Security-Policy "base-uri 'self';
&lt;/IfModule&gt;</pre>

<h3 id="Nginx_configuration">Nginx configuration</h3>

<pre class="brush: bash">
add_header Content-Security-Policy "base-uri 'self';"</pre>

<h3 id="Violation_case">Violation case</h3>

<p>Given your domain isn't example.com, using a {{HTMLElement("base")}} element with an href set to example.com will result in a CSP violation.</p>

<pre class="brush: html; example-bad">
&lt;meta http-equiv="Content-Security-Policy" content="base-uri 'self'"&gt;
&lt;base href="http://example.com/"&gt;

// Error: Refused to set the document's base URI to 'http://example.com/' 
// because it violates the following Content Security Policy 
// directive: "base-uri 'self'"</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0", "#directive-base-uri", "base-uri")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>No changes.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1", "#directive-base-uri", "base-uri")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat("http/headers/content-security-policy", "base-uri")}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPheader("Content-Security-Policy")}}</li>
 <li>{{HTMLElement("base")}}</li>
 <li>{{domxref("Node.baseURI")}}</li>
</ul>
Revert to this revision