All of the directives that end with -src support similar values known as a source list. Multiple source list values can be space separated with the exception of 'none' which should be the only value.

Source Value	Example	Description
`*`	`img-src *`	Wildcard, allows any URL except data: blob: filesystem: schemes
`'none'`	`object-src 'none'`	Prevents loading resources from any source
`'self'`	`script-src 'self'`	Allows loading resources from the same origin (same scheme, host and port)
`data:`	`img-src 'self' data:`	Allows loading resources via the data scheme (e.g. Base64 encoded images)
`domain.example.com`	`img-src domain.example.com`	Allows loading resources from the specified domain name
`*.example.com`	`img-src *.example.com`	Allows loading resources from any subdomain under example.com
`https://cdn.com`	`img-src https://cdn.com`	Allows loading resources only over HTTPS matching the given domain
`https:`	`img-src https:`	Allows loading resources only over HTTPS on any domain
`'unsafe-inline'`	`script-src 'unsafe-inline'`	Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)
`'unsafe-eval'`	`script-src 'unsafe-eval'`	Allows unsafe dynamic code evaluation such as Javascript eval()