CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.



Working draft or equivalent

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 59
  • Chrome for Android release 59
  • Android WebView release 59

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • Positive


Last updated on 2020-11-09