img-src
Content-Security-Policy Fetch

Overview

img-src controls where images and favicon resources may be loaded from, covering <img>, <picture>, CSS background-image, favicons, and SVG <image>. When omitted it inherits from default-src.

Details

Its value combines 'self', specific hosts (https://images.example.com), CDNs, and often the data: scheme. Many sites use inline base64 images, so data: is frequently allowed — but opening data: broadly lets attackers embed inline payloads, so restrict it to where it is genuinely needed. blob: is required to display client-generated images (e.g., Canvas toBlob).

Image loading carries low direct XSS risk, but external image requests enable user tracking/pingbacks and generate noisy CSP violation reports. Sites using ad or analytics pixels must allowlist those domains for images to render correctly.

Syntax

Content-Security-Policy: img-src 'self' data: https://images.example.com

Notes

Related directives