CSP hash expressions can match external scripts.

CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Specification

Working draft or equivalent

Status in Chromium

Blink components: Blink>SecurityFeature>ContentSecurityPolicy

In development (launch bug)

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Safari: No public signals
• Web Developers: Positive

Owners

• treib@chromium.org
• mkwst@chromium.org

Last updated on 2017-06-14