Developer Tools

CSP Source Tester

Test URLs and inline content against a Content-Security-Policy. See the matched directive, source expression, and why each resource is allowed or blocked.

Content-Security-Policy

Paste the policy with or without the Content-Security-Policy: prefix. Separate directives with semicolons.

Page origin

The origin of the protected page. Drives 'self' and the default scheme for host-sources without one.

Samples

Resources to test

Add the URLs or inline content you want to evaluate against the policy.

Resource 1
Type
<script src="…">
Inline content
Resource URL
Resource 2
Type
<script src="…">
Inline content
Resource URL
Resource 3
Type
<img> / favicon / background image
Resource URL
Resource 4
Type
<img> / favicon / background image
Resource URL
Resource 5
Type
fetch, XMLHttpRequest, EventSource, WebSocket
Resource URL
Resource 6
Type
fetch, XMLHttpRequest, EventSource, WebSocket
Resource URL

6 results: 4 allowed, 2 blocked

Each card shows the resolved directive, the matched (or unmatched) source, and the exact reason.

Allowedscript-src-elem
https://cdn.example.com/bundle.js
Host source https://cdn.example.com matches the target URL.
Directive: script-src via https://cdn.example.com
- 'self' would match only the page origin host (app.example.com), but the target host is cdn.example.com.
Blockedscript-src-elem
https://evil.example.org/tracker.js
No source expression in script-src matched https://evil.example.org/tracker.js.
Directive: script-src
- 'self' would match only the page origin host (app.example.com), but the target host is evil.example.org.
- Host cdn.example.com does not match evil.example.org.
Allowedimg-src
https://assets.example.com/logo.png
Host source https://*.example.com matches the target URL.
Directive: img-src via https://*.example.com
- 'self' would match only the page origin host (app.example.com), but the target host is assets.example.com.
- Scheme source data: does not match target scheme https:.
Allowedimg-src
data:image/svg+xml;base64,PHN2Zy8+
Scheme source data: matches the target URL scheme (data:).
Directive: img-src via data:
- 'self' does not match blob:, data:, or filesystem: URLs.
Allowedconnect-src
https://api.example.com/v1/orders
Host source https://api.example.com matches the target URL.
Directive: connect-src via https://api.example.com
- 'self' would match only the page origin host (app.example.com), but the target host is api.example.com.
Blockedconnect-src
wss://realtime.example.com/socket
No source expression in connect-src matched wss://realtime.example.com/socket.
Directive: connect-src
- 'self' would match only the page origin host (app.example.com), but the target host is realtime.example.com.
- Source scheme https: does not match target scheme wss:.

Resolved directives

Per-resource directive resolution after the CSP fallback chain is applied.

Resource	Requested directive	Resolved directive	Fallback chain
https://cdn.example.com/bundle.js	script-src-elem	script-src	script-src-elem → script-src → default-src
https://evil.example.org/tracker.js	script-src-elem	script-src	script-src-elem → script-src → default-src
https://assets.example.com/logo.png	img-src	img-src	img-src → default-src
data:image/svg+xml;base64,PHN2Zy8+	img-src	img-src	img-src → default-src
https://api.example.com/v1/orders	connect-src	connect-src	connect-src → default-src
wss://realtime.example.com/socket	connect-src	connect-src	connect-src → default-src

How to use

Paste your Content-Security-Policy header value into the policy textarea. Use one of the sample policies (Strict starter, Nonce + strict-dynamic, Inline hash, Wildcard hosts, Frame ancestors) to see the matching rules in action.
Set the page origin to the origin of the protected page (for example https://app.example.com). This drives 'self' matching and the default scheme for host-sources with no scheme part.
Add each resource you want to test. Choose the request type (external script, image, fetch, iframe, frame ancestor, and so on), then either paste the resource URL or, for scripts and styles, switch on Inline content and paste the body (and the nonce attribute when relevant).
Read each verdict card. Allowed cards name the matched source expression and explain why it matched. Blocked cards name the closest near-miss and the directive that owns the decision.
Use Copy report to grab a plain-text summary suitable for a pull request, an audit document, or a Slack thread. Use the resolved directives table to confirm the fallback chain for each resource type.

About this tool

CSP Source Tester evaluates whether a Content-Security-Policy would allow or block a list of resources from loading on a protected page. Paste the policy header value (with or without the Content-Security-Policy: prefix), set the page origin, then add the resources you want to check. For each resource you choose a request type (external script, inline script body, style element, inline style attribute, image, font, fetch or XHR, iframe source, media, plugin object, manifest, worker, prefetch, form action, or frame ancestor) and a URL or inline body. The tester resolves the governing directive using the W3C CSP Level 3 fallback chain (script-src-elem and script-src-attr fall back to script-src and then default-src; style-src-elem and style-src-attr fall back to style-src and then default-src; worker-src walks worker-src, child-src, script-src, default-src; form-action and frame-ancestors do not fall back to default-src) and runs the documented URL source-list matching algorithm against every source expression in the resolved directive. Keyword sources are recognized: 'none' blocks the directive entirely; 'self' matches the page origin with the documented scheme upgrade for https and wss; 'unsafe-inline', 'unsafe-eval', 'wasm-unsafe-eval', 'strict-dynamic', 'unsafe-hashes', and 'report-sample' are interpreted as the spec requires. Scheme-only sources (https:, data:, blob:, filesystem:, mediastream:, ws:, wss:) match any target with that scheme, including the documented http to https and ws to wss upgrades. Host-source matching covers optional scheme, host with leading-* subdomain wildcards, optional port (numeric or *), and optional path prefix. Nonces and SHA-256, SHA-384, and SHA-512 hashes are matched against the inline body and the nonce attribute you provide; the SubtleCrypto digests are computed locally in the browser so the inline content is never transmitted. The result list shows per-resource verdict cards (allowed or blocked), the resolved directive name, the matched source expression, the reason in plain language, and notes that explain near-misses (wrong scheme, missing port, host wildcard not matching, 'self' not matching blob URLs, 'strict-dynamic' suppressing host-source matches on scripts, nonces being ignored on inline style attributes, and so on). A resolved-directives table breaks the request types out so you can see exactly which directive each resource type fell back to. Useful when you are tightening a CSP and want to confirm specific third-party hosts still load, when a vendor changed CDNs and you need to update one host source without breaking the rest, when an inline script needs a hash exception and you want the exact 'sha256-…' string to add, when 'strict-dynamic' is on and you want to see why a host allowlist is ignored, when iframe embedding is failing and you want to know whether frame-ancestors or X-Frame-Options is at fault, and when an audit report points at a specific URL and you want to reproduce the browser's decision locally. Everything runs in your browser; the policy, the page origin, the resource URLs, the inline bodies, and the computed hashes never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

CSP Source Tester

How to use

About this tool

You may also like

CSP Analyzer

CSP Header Generator

HTTP Headers Parser

CORS Preflight Simulator

Referrer-Policy Header Generator

Permissions-Policy Generator