base-uri
Content-Security-Policy Document

Overview

base-uri restricts the base URL a document's <base> element may set. Since <base href> changes how all relative URLs on the page resolve, this prevents an attacker-injected <base> from hijacking resource paths wholesale. This directive does NOT fall back to default-src.

Details

If an XSS injects <base href="https://evil.example/">, every subsequently loaded relative script, image, and link resolves against the attacker's domain, enabling resource hijacking or nonce-based CSP bypass. Restricting to base-uri 'self' (or 'none') shuts down such base-injection attacks.

Crucially, base-uri does not inherit from default-src. base-uri, form-action, frame-ancestors, sandbox, and report-* are not covered by the default-src fallback, so setting only default-src 'self' leaves base-uri unrestricted. That is why Google's strict-CSP recommendation lists base-uri 'self' as one of the three essentials alongside a nonce-based script-src and object-src 'none'.

Syntax

Content-Security-Policy: base-uri 'self'

Notes

Related directives