The HTTP {{HTTPHeader("Content-Security-Policy")}} base-uri
directive restricts the URLs which can be used in a document's {{HTMLElement("base")}} element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the {{HTMLElement("base")}} element.
CSP version | 2 |
---|---|
Directive type | {{Glossary("Document directive")}} |
{{CSP("default-src")}} fallback | No. Not setting this allows anything. |
Syntax
One or more sources can be allowed for the base-uri policy:
Content-Security-Policy: base-uri <source>; Content-Security-Policy: base-uri <source> <source>;
Sources
{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Examples
Meta tag configuration
<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
Apache configuration
<IfModule mod_headers.c> Header set Content-Security-Policy "base-uri 'self'; </IfModule>
Nginx configuration
add_header Content-Security-Policy "base-uri 'self';"
Violation case
Given your domain isn't example.com, using a {{HTMLElement("base")}} element with an href set to example.com will result in a CSP violation.
<meta http-equiv="Content-Security-Policy" content="base-uri 'self'"> <base href="http://example.com/"> // Error: Refused to set the document's base URI to 'http://example.com/' // because it violates the following Content Security Policy // directive: "base-uri 'self'"
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("CSP 3.0", "#directive-base-uri", "base-uri")}} | {{Spec2('CSP 3.0')}} | No changes. |
{{specName("CSP 1.1", "#directive-base-uri", "base-uri")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat("http/headers/content-security-policy", "base-uri")}}
See also
- {{HTTPheader("Content-Security-Policy")}}
- {{HTMLElement("base")}}
- {{domxref("Node.baseURI")}}