diff --git a/files/en-us/_redirects.txt b/files/en-us/_redirects.txt
index 4ab8f8dafd91059..6545169f40fff51 100644
--- a/files/en-us/_redirects.txt
+++ b/files/en-us/_redirects.txt
@@ -12297,6 +12297,7 @@
/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference /en-US/docs/Web/HTTP/Headers/User-Agent/Firefox
/en-US/docs/Web/HTTP/HTTP_response_codes /en-US/docs/Web/HTTP/Status
/en-US/docs/Web/HTTP/Headers/Cache-Disposition /en-US/docs/Web/HTTP/Headers/Content-Disposition
+/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources /en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax
/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to /en-US/docs/Web/HTTP/Headers/Content-Security-Policy
/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer /en-US/docs/Web/HTTP/Headers/Referrer-Policy
/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for /en-US/docs/Web/HTTP/Headers/Content-Security-Policy
diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
index ea17687c2c766f3..50be70f84a1fce1 100644
--- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
+++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
@@ -65,7 +65,7 @@ In Manifest V2, a source for a script directive is considered secure if it meets
- Remote sources must not use wildcards for any domains in the [public suffix list](https://publicsuffix.org/list/) (so `*.co.uk` and `*.blogspot.com` are not allowed, although `*.foo.blogspot.com` is permitted).
- All sources must specify a host.
- The only permitted schemes for sources are `blob:`, `filesystem:`, `moz-extension:`, `https:`, and `wss:`.
-- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`.
+- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`.
## object-src directive
diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
index 4ed60863edfd126..cc1f0010ad57906 100644
--- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
@@ -39,13 +39,11 @@ This directive may have one of the following values:
- : No base URI may be set using a `` element. The single quotes are mandatory.
- ``
- - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions.
+ - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions. For this directive, the following source expression values are applicable:
- Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`:
-
- - ``
- - ``
- - the keyword value `'self'`.
+ - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#host-source)
+ - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source)
+ - [`'self'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#self)
## Examples
diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md
index 053c4024e0398ef..31e4f7f8fa4481b 100644
--- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md
@@ -42,13 +42,11 @@ This directive may have one of the following values:
- : No form submissions may be made. The single quotes are mandatory.
- ``
- - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions.
+ - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions. For this directive, the following source expression values are applicable:
- Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`:
-
- - ``
- - ``
- - the keyword value `'self'`.
+ - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#host-source)
+ - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source)
+ - [`'self'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#self)
## Examples
diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md
deleted file mode 100644
index 718568028210b53..000000000000000
--- a/files/en-us/web/http/headers/content-security-policy/sources/index.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: CSP source values
-slug: Web/HTTP/Headers/Content-Security-Policy/Sources
-page-type: http-csp-directive
-spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list
----
-
-{{HTTPSidebar}}
-
-HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below.
-
-As well as fetch directives, some other CSP directives may take as a value a space-separated list of source expressions, each of which may be a subset of the values listed below, namely: one of ``, ``, or the keyword `'self'`. These other directives are:
-
-- {{CSP("base-uri")}}
-- {{CSP("form-action")}}
-- {{CSP("frame-ancestors")}}
-
-Directives that accept a list of source expressions may instead be given the single value `'none'`, indicating that no resources of the given type may be loaded (or, in the case of non-fetch directives, that the associated feature is not allowed).
-
-## Sources
-
-- ``
-
- - : Internet host by name or IP address. The [URL scheme](/en-US/docs/Learn/Common_questions/Web_mechanics/What_is_a_URL), port number, and path are optional.
- Wildcards (`'*'`) can be used for subdomains, host address, and port number, indicating that all legal values of each are valid.
- When matching schemes, secure upgrades are allowed (e.g. specifying `http://example.com` will match `https://example.com`).
- Examples:
-
- - `http://*.example.com`: Matches all attempts to load from any subdomain of example.com. Also matches `https` resources.
- - `mail.example.com:443`: Matches all attempts to load from port 443 on mail.example.com.
- - `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
- - `*.example.com`: Matches all attempts to load from any subdomain of example.com.
- - `https://*.example.com:12/path/to/file.js`: Matches all attempts to load from any subdomain of example.com using `https:` on port 12, and only if the path is `/path/to/file.js`.
- - `ws://example.com`: Matches all attempts to load from example.com using `ws:`. Also matches `wss` resources.
- - `https://example.com/subdirectory`: Matches all attempts to load the exact path `https://example.com/subdirectory`.
- - `https://example.com/subdirectory/`: Matches all attempts to load files under `subdirectory` directory. For example, `https://example.com/subdirectory/path/to/file.js`. It does not match `https://example.com/path/to/file.js`.
-
- For more details about how path matching is done refer the [parts matching algorithms](https://w3c.github.io/webappsec-csp/#match-schemes) in the specification.
-
-- ``
-
- - : A scheme such as `http:` or `https:`.
- The colon is required.
- Unlike other values below, single quotes shouldn't be used.
- You can also specify data schemes (not recommended).
-
- - `data:` Allows [`data:` URLs](/en-US/docs/Web/URI/Schemes/data) to be used as a content source.
- _This is insecure; an attacker can also inject arbitrary `data:` URLs. Use this sparingly and definitely not for scripts._
- - `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Capture_and_Streams_API) to be used as a content source.
- - `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
- - `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.
-
- > [!NOTE]
- > If a scheme source is missing, the document origin's scheme is used.
- > Secure upgrades are allowed, so if the document is loaded using `https:`, then `example.com` will match `https://example.com` but not `http://example.com`.
- > For more information, see [CSP Level 3](https://www.w3.org/TR/CSP3/#match-url-to-source-list).
-
-- `'self'`
- - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number.
- You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives.
- Sites needing to allow these content types can specify them using the Data attribute.
-- `'unsafe-eval'`
- - : Allows the use of `eval()` and other unsafe methods for creating code from strings.
- You must include the single quotes.
-- `'wasm-unsafe-eval'`
- - : Allows the loading and execution of WebAssembly modules without the need to also allow unsafe JavaScript execution via `'unsafe-eval'`.
- The single quotes are required.
-- `'unsafe-hashes'`
- - : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers).
- If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), this is a safer method than using the `unsafe-inline` expression.
-- `'unsafe-inline'`
- - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), inline event handlers, and inline {{HTMLElement("style")}} elements.
- The single quotes are required.
-- `'nonce-'`
-
- - : An allowlist for specific scripts using a cryptographic nonce (number used once).
- The server must generate a unique nonce value each time it transmits a policy.
- It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial.
- See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example.
- Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.
-
- > [!NOTE]
- > The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).
-
-- `'-'`
- - : A sha256, sha384 or sha512 hash of scripts or styles.
- This value consists of the algorithm used to create the hash followed by a hyphen and the base64-encoded hash of the script or style.
- When generating the hash, exclude \