It simplifies specifying multiple directives by providing a default value.

It blocks all external resources by default.

It allows loading resources from any domain.

It enables inline scripts without restrictions.

By using 'script-src mysite.com'

By using 'script-src mysite.com:*'

By using 'script-src *.mysite.com'

By using 'script-src mysite.com:80'

No resources of that type are allowed.

All resources are allowed from any domain.

Resources are allowed from any secure connection.

Only resources from the same domain are allowed.

To ensure they are treated as special keywords, not hostnames.

To allow them to be used as hostnames.

To make them case-insensitive.

To enable them to work in Internet Explorer.

none

unsafe-inline

self

unsafe-eval

It allows all scripts to run without restrictions.

It enables form submissions from any page.

It restricts actions that a page can take.

It allows loading resources from any domain.

It makes the page's origin the same as the rest of the site.

It enforces the page into a unique origin.

It allows the page to share origin with subdomains.

It removes all origin restrictions.